SpywareGuide Greynets Blog

A Note Of Caution....

Wed, 23 Jul 2008 13:45:25 +0000

In the last few days, we've discovered a program that attempts to get around certain privacy related features on Myspace groups (which are effectively mini-forums run by Myspace users). Note that the program doesn't attempt to do anything to individual end-users like infect their PC - and as long as you're not posting up personal / private information to Myspace groups that you don't want to risk being grabbed by nefarious individuals, you have nothing to worry about. (As a general rule of thumb, you shouldn't post sensitive information to any third-party website in any case, but that's another story).

We're not posting up any additional information at this time, because we don't want to cause a mass stampede by people to grab the files in question and start using them left, right and center until Myspace has had a chance to tackle the problem.

For now, we've passed on everything to Myspace and hopefully they'll be able to resolve this speedily.

Smash and Grab

Tue, 22 Jul 2008 14:27:42 +0000

Ever wondered how much damage can be caused with what is likely a few handily placed keyloggers and trojans?

Well, this is probably a good (bad?) place to start.

"Also while that was happening the person who stole my GoDaddy account also stole our paypal accounts and charged several thousand dollars to us. PayPal is working to get that money back, so far about 600.00 was retrieved but we are still waiting for news on the other funds."

Ouch....

Homer's Odyssey

Fri, 18 Jul 2008 17:52:08 +0000

Well, it's been a pretty busy week here as Homer Simpson + Malware = quite the commotion.

It started off with USA Today, VNUNet and CNET, then appeared on Slashdot over the weekend. After that, the sheer joy at being able to use Homer Simpson pictures in tech-related writeups was evident. Who would have thought it would finish off with Matt Selman himself (the Simpsons scriptwriter responsible for the whole "Chunkylover53" phenomenon) writing about the situation.

Pretty nuts. Heck, I even got to do a four minute Podcast that (from what I've been told) goes out to around 100 radio stations in the States. I think the closest I got to crossing security with popular culture previously was ye olde net-war (that revolved around a "stolen" picture of Lindsay Lohan - long story), but this one has Homer Simpson in it so clearly it wins by default.

However, what a lot of people might have missed - in fact, I nearly missed it myself - was something that appeared shortly before the plug appeared to be pulled on poor old Homer. Here's a screenshot of his previous message history - you can see how many times it was constantly changing:

Click to Enlarge

Here's the final message I saw before the lights seemingly went out on Homer:

Click to Enlarge

That message is particularly interesting, because it refers to a group of individuals who were involved in this Comcast hack not so long ago. Were they involved here? Or are the real culprits simply blaming someone else?

Homer Simpson and the Kimya Botnet

Fri, 11 Jul 2008 18:46:17 +0000

Television often relies on fake codes, phone-numbers and addresses to make up part of their fictional worlds. Sometimes, it can go slightly wrong - how many people tried to call Doctor Who last week?

D'oh.

Actually, "D'oh" is rather appropriate here. In an old episode of The Simpsons, it was revealed that Chunkylover53@aol.com was Homers Email address. Of course, Simpsons fans galore with net access immediately added "Chunkylover53" to their AIM contact list. As this article points out....

Homer's e-mail address chunkylover53@aol.com, as seen on EABF03, was registered by writer-producer Matt Selman, who also replied to e-mails from fans testing it. "He logged in the night that the episode aired and it was immediately filled with the maximum number of responses. He's tried to answer every one of them and then as soon as he answers a hundred, a hundred more pop in," Al Jean told the New York Post in January 2003.

What's interesting here is that as far as I'm aware (and please, correct me if I'm wrong), the AIM screen-name"Chunkylover53" is not necessarily connected to the "official" chunkylover53@aol.com email address - anyone could have set up that AIM screen-name, using whatever EMail address they feel like. However, people will naturally add "Chunkylover53" to their AIM accounts thinking it will be the "real" Homer. This is where the problems set in.

The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message....

...yes, "Homer" has seemingly returned, and he comes bearing infection files!

Of course, the "exclusive Simpsons episode" is nothing of the kind - what you actually download is a file called "Kimya.exe", about 150kb in size, and it looks like this:

Run the file, and you won't see a new Simpsons episode - you're actually more likely to see this:

....a strange error message that mentions "photos" (probably fake), followed by lots of real error messages as most of your desktop fails, leaving you with an entirely blank screen:

Click to Enlarge (if you really must!)

From this point onwards, the PC will likely need a reboot and will be sluggish until cleaned up, constantly throwing out error messages, crashing when attempting to open Windows Explorer etc.

Now, given that the infection links are being passed around via IM Away messages, there was always going to be the possibility of an Instant Messaging worm attack. However, a lot of testing has taken place and so far, we haven't seen any malicious messages or URLs sent via AIM or MSN Messenger.

That's no reason to get complacent though, because what we have seen taking place is possibly quite a bit worse. First of all, a number of hidden files are dropped onto the PC, including Rootkit technology (which the bad guys have helpfully pointed out in the code):

Worse, your PC is deposited into a Botnet of Turkish origin - here's the giveaway traffic stream via an Ethereal log:

....awaiting further instructions from the Botnet C&C center. This particular Botnet has been around since March of this year. The Turkish connection is interesting, because I haven't seen too many Turkish Botnets - and there's been quite a surge in hacking activity from Turkey recently (most notably the DNS attacks on Photobucket and ICAAN by NeTDevilz).

Finally, the infection drops a number of other files onto the PC besides the Rootkit, which are seemingly related to a new variant of this Chinese infection.

It's worth noting that there may only be Instant Messaging infection links sent out if the person running the Botnet Command Center decides to issue all the drones with such a command - so while we haven't seen any IM infection activity, it would be wise not to rule it out completely. We recommend infected users keep an eye on all Instant Messaging activity until they can clean the infection from their computer, just in case.

Whoever is responsible for these messages has changed them a couple of times already - last night, the download link had been updated to look like this:

...and it currently advertises a link for a dating website:

We've reported all links related to this attack, and at least two of the files claiming to be "exclusive Simpsons episodes" are currently offline, though there's bound to be more out there. For now, this is a good reminder to be cautious when randomly adding cool things seen on TV and film to your online applications - you can't always assume the person at the other end is entirely in control, or indeed, related to what you're looking for in the first place.

We detect this infection as Kimya.

Additional Research: Chris Mannon, FSL Senior Threat Researcher
Deepak Setty, FSL Senior Threat Research Engineer

Twitter Spam

Thu, 10 Jul 2008 13:55:06 +0000

The plan - to grab as many followers as possible:

...then when you think you have enough of them (admittedly, our spammer here is settling for a less-than-grand total of 56), send them....

.....some spam. In this case, the spam is for a website showing you how to "run your car on water". Well, it's better than viagra ads I guess. Here's a good article which covers some more Twitter spam.

Malware Install Hides Behind Fake Blue Screen Of Death

Wed, 09 Jul 2008 19:42:24 +0000

This is a particularly strange hijack that typically begins with the following file opened up from the web:

If the file is allowed to execute on the PC, you may well see the dreaded Blue Screen Of Death (or BSOD to its friends).

However, all is not what it seems. While the end-user is faced with the horrors of the BSOD, behind the scenes Malware is installing by the bucketload.How is this possible, I hear you cry? Surely if the PC has crashed, nothing can be installing?

Not in this case, because the blue screen of death is fake - to be more accurate, the bad guys have taken Sysinternals blue screen of death screensaver and bundled it in with the hijack files. This is what the .scr file looks like on the PC:

And this is what you see if you explore the code:

It seems the bad guys are not without a sense of humour. Hiding a blizzard of infection file installs behind a legitimate screensaver created by a security expert is pretty bizarre. Here is the registry entry created:

Meanwhile, here are just some of the files installed onto the PC during the download:

Click to Enlarge

The PC pretty much grinds to a halt while all of this is taking place:

When the computer finally comes back under your contol, you can expect to see numerous warnings related to fake antispyware programs appearing all over the desktop:

Click to Enlarge

Collectively, we detect the various bundles on offer here as Fake.AV and Smiddy.

Discovery and Research: Chris Mannon, FSL Senior Threat Researcher

More Websites Asking For MSN Logins...

Wed, 09 Jul 2008 17:04:40 +0000

A fresh wave of spam messages related to the website covered here have started popping up on MSN Messenger clients. Avoid the following domains:

get-that-stuff.info
imagefrosty.info
hostapic.info

How Can I Find Them? They Haven't Gone Missing!

Wed, 09 Jul 2008 13:45:35 +0000

I've often highlighted the utterly worthless spam messages that seem to endlessly circulate on Facebook, usually warning not to add (insert random name here) because they're an evil hacker and will destroy your PC, kill your family and so on.

Well, today I came across another such message:

.....insert gag about them being related to Chuck here....but underneath that message was something far more interesting:

Sounds serious, right? It seems personal, because it's their friend missing which adds a little more urgency - they provide a contact email address to notify them on, and it mentions a real world example of someone who went missing and was found via the Internet.

However.

Dig into this a little bit, and it all becomes clear quite quickly that something isn't quite right here. For starters, search for the missing persons name and there is no mention of him ever "going missing". Nothing on websites, news pages....it's like the whole thing is a work of fiction. In fact, buried in unrelated entries is the following snippet from a page on myyearbook.com:

Click to Enlarge

Check out the name of the "hacker" you shouldn't add. It seems someone has simply swiped the name and started pasting it into spam messages. A quick search of Facebook confirms the name and face go together.

A quick search for the email address listed as a contact brings up more interesting posts, this time posted to a personal blog:

Click to Enlarge

Same text....same reference to "real world" example....same email address. This person sure does get through a lot of missing friends! Note that this "missing person" chain letter has now stepped outside of Facebook and into other websites and networks.

At this point, you're probably wondering about the validity of the "real world" example, aren't you? Well, that would be a good idea! Notice they don't give any detail - it simply says "That is how the girl from Stevens Point was found by circulation of her picture on TV", and expect you to accept it as is. If you go searching for that phrase, it doesn't take long to find a page on Snopes.com regarding a missing girl hoax that stretches back some years:

"Please look at the picture, read what her father says, then forward his message on. Maybe if everyone passes this on, someone will see this child. That is how the girl from Stevens Point was found by circulation of her picture on tv..."

An email hoax, wrapped up and repackaged for the Facebook generation.

"Interesting" Advert Placements On Facebook

Thu, 03 Jul 2008 19:45:10 +0000

I've had a few people mention "odd things" happening when trying to install an application on Facebook called "Gridview". Well, I decided to try it out. On the install screen, you see this:

Makes sense so far. Here's the install screen where you agree to let the application loose on your profile:

Click to Enlarge

Once done, you see the following screen and this is where it all starts to go a bit wrong:

Click to Enlarge

Note that the application is ALREADY installed by this point, because the Gridview icon is on your list of current applications (highlighted by the red box on the left).

However, top right (also highlighted) is a box made to look like a standard Facebook "continue" button. When installing the application for the first time, this caught me out too - I didn't notice the app was already installed and (naturally enough) clicked the "continue" button, thinking there was something else I needed to do to complete the installation.

Imagine my confusion, then, when I was suddenly presented with this:

Click to Enlarge

A page asking me to download "Mothers Day E-cards", via IAC (creators of Smiley Central, amongst other things). By this point, you've left the Facebook network completely and are sitting on a page served up by an advertising network - go back to the Facebook screenshot above and check out the URL at the bottom of the browser. That's the actual destination of the "Continue" button.

That's a pretty sneaky tactic, if you ask me.

What needs to be established is, who is responsible for the placement of the fake "Continue" button? Is it the creator of the application, or is it legitimate advertising space on Facebook being subverted in a rather creative fashion by an advertising agency promoting IAC products?

I've tried reinstalling the application a few times, and the graphic displayed sometimes changes to more overt "this is an advert" style banners leading to other sites offering similar downloads / offers. Other applications installed don't seem to display sneaky adverts like that in the same location, but every application install is somewhat different so that's not really a conclusive answer.

At any rate, be wary of what you click on when installing Facebook applications...

Content Scrapers And Security Blogs

Thu, 03 Jul 2008 08:48:19 +0000

I saw an interesting post over at Anti-Virus-Rants today, where Kurt Wismer linked to an article regarding content scraping. In essence, the site doing the scraping (Security Ratty) ended up with "Security Ratty is a slimy, content stealing thief" on the front page. I find this interesting, because not so long ago I'd considered doing something similar with one of those fake security spam blog things that lift the content and splatter a ton of adverts on their site, while removing correct attribution.

Instead, I decided to do a little digging and quickly traced it back to a guy running a whole network of various sites, blogs and other networks. However - something didn't seem quite right. For all intents and purposes, he seemed like a normal, legit guy. He had pictures of himself on various portals. He openly advertised his main line of business, which (I think) was something to do with accountancy. There was a personal blog about pet dogs.

Holding fire on the "Here's a post specifically for your scraper site poking fun at you, aren't I clever" post, we found out that the guy had purchased a bunch of ready-to-roll blogs in good faith and had no idea the sites were removing correct attribution (and replacing it with fake names), amongst various other things. Realistically, I didn't expect him to know the ins and outs of all the little details that turned reproduction in good faith into something that just about started to cross the line. A few helpful emails back and forth, and everything was fixed at their end and it didn't snowball into some big stupid argument over nothing.

Coming from an arts background, I'm realistic enough to know that if you put something out there, it's going to get copied and / or republished without your permission (or worse) down the line. That's the risk of publishing material online, and to a large degree, there is absolutely nothing you can do about it. The way I see it, you spend the rest of your days on a futile hunt to shut down all the content scrapers, or accept that (at the very least) the information you hope may be of use to somebody will reach and help them in some way.

If it doesn't have my name attached to it, I can live with that - but I'd rather invest my energies in research and writing than a few hours brief "victory" via a slow procession down an RSS feed. I'm not familiar with the ins and outs of the particular case linked to, but for all I know, the scraper site in question is entirely automated and devoid of any real life person manning the controls. If that's the case, the "victory" is rendered almost entirely pointless save for a cool-for-a-while screenshot.

Is that really a good use of time and effort? Personally, I'm more pleased with our behind-the-scenes EMail resolution but different strokes, different folks and all that...

Your 419 Mail Roundup

Wed, 02 Jul 2008 18:11:42 +0000

A handful of scam mails currently in circulation, including one mention of "groundnut oil" that seems so bizarre I had to highlight it in bold text. All this and more, after the jump...

Social Networking: When It All Goes Horribly Wrong

Tue, 01 Jul 2008 20:33:10 +0000

Interesting article over at PCWorld:

One of the first social networking upstarts, MySpace, is facing continuing security problems that threaten to spoil many of the innovative features that make the site useful.

Hackers, spammers and Internet malcontents have turned many of the "group" sites, which are dedicated to interests such as home beer brewing, animal welfare and gay rights issues, into cyber-graffiti walls, filled with offensive comments and photographs.

Link here.

The Angry Spamtool...

Tue, 01 Jul 2008 20:29:27 +0000

Here's a spamming program that targets Xfire users, with a particularly distasteful name. If you're under 16, you'll probably find the name incredibly lulzy (or whatever it is that kids under 16 are saying at the moment). Open up the zip the program comes in, and you'll see that it's called...er...

...yeah, charming. Note that it also comes bundled with a solitary MP3, presumably to rock out to over and over again while you get your fill of spamming chatboxes for a small portion of eternity.

Here's the application in action - there seems to be an abundance of angry, red shouty faces with this one, doesn't there?

Click to Enlarge

Hit the "Bomb Em" button, and the program rather helpfully asks you how many times you want to nuke your victim. For no real reason, I went for a comic reference and selected 52:

But wait! One more charming popup box awaits:

Click to Enlarge

.....anyone think the creator needs anger management classes yet?

Fast Track to Botnet Central

Tue, 01 Jul 2008 10:41:45 +0000

Its true, you too can finally get into the botnet you always wanted. Finally the ability to be a zombie computer under some losers control is yours!

Seriously though, becoming a victim to a hacker's botnet is incredibly easy. These attacks are not typical to other forms of destruction found on the internet. There true intent is usually to remain hidden from view until called upon. In the case of FastTrackBot however there is a new objective. FastTrackBot downloads several executable files that keep your computer clicking on the attacker's affiliate links. These executable files keep the webpages in hidden iexplore.exe windows in order to hide the application from suspicious eyes. If you're using X-cleaner, I suggest you take a look at the Expert Tab. The Show All Hidden Windows function is great for showing you exactly what is open at the time.

FastTrackBot phones home to several of these sites in order to keep the user clicks through affiliate links.

Aside from creating invisible windows to hog your bandwidth up, it also attempts to install a rogue anti-spyware application. This is a popular technique when attempting to fraud the victim into leaking credit card information when actually attempting to purchase the fake product. FastTrackBot inserts a fake security center that appears identical to the one found in Windows XP.

As you can see in the address bar, this is not the actual security center. Clicking anywhere on this window means almost certain doom in the worst way possible...a never ending stream of fake "YOU ARE INFECTED!!!!" alerts.

In order to kill the actual application, you have to remove it from memory first, then remove its autostart which is found in 5 different locations - or simply remove with our free Microscanner.

My Name......is......Neo!

Mon, 30 Jun 2008 17:35:39 +0000

As Keanu would say, "There's a bomb on the bus".

I mean, "Whoa". He might also have said "Excellent", but that was definitely the wrong film.

At any rate, here's an infection from China called "Agent.NEO", which probably has some deep seated relevance to the Matrix trilogy. Or maybe not. There aren't tons of screenshots of desktop fireworks, because by and large, this infection doesn't hit you with the pretty whiz-bang effects on your monitor. What it does do, however, is drop a ton of files onto your PC (many of which do strange things - here's a couple from various directories):

...slows everything down to a crawl, attempts to detect and disable security programs, contact a remote mail server with network sensitive data, hijack your IE:

Click to Enlarge

....and tries to show you a couple of Chinese popup ads (none of those pages were online at time of testing, otherwise there'd be multicoloured screenshots galore below).

I'm trying really hard to end this writeup with a really cheesy Matrix reference, but I can't think of any so in conclusion: avoid Agent.NEO at all costs (but watch the films again, they're awesome).