GFI LABS Blog

Moving House

2012-01-13T11:05:00.001-05:00

Yes, we are :)

Click the image to visit the new GFI Labs Blog

An inevitable move, this. After all, Sunbelt Software has been part of GFI Software for more than a year now.

This didn't happen overnight, though. We tip our hats to our colleagues in Malta who worked hard to put up our new home and brought the Labs under one domain. At the very least, you, dear Reader, are now spared the confusion of whether to call this website the "Sunbelt Blog" or the "GFI Blog" ;)

What you're reading here now is our 4,100th published post; it is also our last. We're just glad that our "Goodbye!" is short-lived.

Moving to a new home is just the start of better changes that are about to take place. To continue receiving the latest research and noteworthy information security news from us, we urge you to update your RSS to point to the new GFI Labs Blog feed.

Cheers to all of our avid readers! Chris and I will see you on the other side :)

Jovi Umawing

Phishers Use US-CERT Email Address as Bait

2012-01-12T03:58:00.000-05:00

The United States Computer Emergency Readiness Team (simply known as US-CERT) is the latest bait phishers used to get users to install malware on user systems.

US-CERT is a highly esteemed and trusted body of security professionals who tackle cybersecurity issues in the United States. They also work with security vendors to address vulnerability issues. With such impressive credentials, it is possible that some private organizations, including federal, state, and local governments, might have fallen prey to this campaign since they appear to be the targets.

From the US-CERT website: "Reports indicate that SOC@US-CERT.GOV is the primary email address being spoofed but other invalid email addresses are also being used.

"The subject of the phishing email is: "Phishing incident report call number: PH000000XXXXXXX" with the "X" containing an incident report number that varies.

"The attached zip filed is titled "US-CERT Operation Center Report XXXXXXX.zip", with "X" indicating a random value or string. The zip attachment contains an executable file with the name "US-CERT Operation CENTER Reports.eml.exe", which is a variant of the Zeus/Zbot Trojan known as Ice-IX."

The complete report is found here.

Jovi Umawing

StalkTrak App gets Naked, Famous.

2012-01-11T23:57:00.002-05:00

"No way" indeed.

The Naked and Famous were displaying the following Tweet on their feed earlier:

Click to Enlarge

Visiting hampaw(dot)ru takes the end-user to tivvitter(dot)com/twitter_stalk-trak_app_user, where they are presented with an application install page for something called "StalkTrak":

Click to Enlarge

The end-user can only progress to the next page if they enter both a username and a password - continuing past this screen will result in links to "StalkTrak" being sent to their followers.

Stalking apps are an old and tired scam dating back to the Myspace days, but unfortunately we continue to fall for them. Please steer clear of the above URL, and think twice before allowing any applications involving "Stalking" to access your Twitter account. You can always clean up your Twitter account here by revoking access to unwanted applications.

Christopher Boyd (Thanks to Jovi Umawing for assistance)

GFI's Take on What Online Crime Will be Like in 2012

2012-01-11T09:15:00.001-05:00

In a recent release of GFI Software's VIPRE report, GFI Labs revealed that recycled tactics from cybercriminals will not cease this new year. Modifications on these tactics will only be slight, and will depend greatly on the kind of targets these online criminals are aiming at. To quote Senior Threat Researcher Christopher Boyd: "Most cyber-attacks at any given time rely on old techniques deployed with a new disguise. The reason we see them again and again is quite simply because they work, and we anticipate 2012 to bring many fresh takes on old scams."

You can read more about this report here.

Jovi Umawing

Bogus Video Game Crack Leads to Rootkit

2012-01-11T00:56:00.001-05:00

Matthew, one of our malware researchers at the AV Labs, came upon a MediaFire link on a YouTube account that purports to direct users to a site where a crack code for the video game Pro Evolution Soccer 2012 (PES 2012) (otherwise known as World Soccer: Winning Eleven 2012) can be downloaded.

click to enlarge

Of course, one doesn't need to go hunting for a YouTube page for the URL. Here it is: http://www(dot)mediafire(dot)com/?i1o0fsa9t5gvpld.

Users visiting the page can readily download and extract the compressed file Pro Evolution Soccer 2012 Keygen. In it are three files: an HTML file, a text file, and another compressed file, which contains the key generator application. The text file doesn't actually contain the password it claims to have. Instead, it contains a shortened URL users must visit to get the password from.

click to enlarge

http://tinyurl(dot)com/64ad4m is actually http://lnkgt(dot)com/7RM, a survey page that users must answer before their password is given to them.

click to enlarge

Unfortunately, after users fill in the survey, gets the password to be used to run the keygen, they inevitably end up installing malware on their systems. Not just any malware; it's a rootkit: ZeroAccess, a sophisticated rootkit known for overwriting critical OS files. Luckily, almost all AV vendors detect this one. Take a look.

Do note that the MediaFire URL is also mentioned on other website platforms that allow the embedding of video clips (such as the one below).

click to enlarge

The more the URL is out there, the more likely someone can and will install the rootkit onto their systems. Stay safe, everyone!

Jovi Umawing (Thanks, Matthew)

2011: The Year that was for Facebook and Online Threats

2012-01-04T03:53:00.002-05:00

CommTouch, an Internet security service provider, has recently released their Internet Threats Trend Report for 2011. In this report, they have highlighted and analyzed the various threats on Facebook that had plagued users for the past year, such as social engineering ploys and common methods of attack used. They also identify three ways on how criminals gain and what these are for targeting Facebook users. CommTouch provided an infographic (below) to showcase their analysis in a more coherent format.

click to enlarge

The 19-page Internet Threats Trend Report mentions malware and spam trends in Q4 of 2011. It also ranks website categories that are most likely to house malware if compromised—Sites tagged as Pornography are at #3. Below are other notable finds in summary:

India, Vietnam, and Pakistan were the top three countries with the most zombie computers.
Phishers mostly targeted sites that were related to Games and Gaming.
In Q4, spammers used fake @gmail.com email addresses to trick users into responding to their spam messages.

The report can be downloaded here.

Jovi Umawing

Team Meat Spun Right Round

2012-01-01T21:11:00.002-05:00

"It's fine, trust me. I've done this stuff for a while now." Famous last words.

Team Meat, developers of Super Meat Boy, had a bit of an issue this past week when their Super Meat World database was compromised. This resulted in the game being broken, and all user created levels being deleted.

They were notified by a person in this thread on Twitter that access to their database was wide open, but the responses from the official Meat Boy account seemed to be a bit of a brush off in the eyes of some watching the drama unfold. Before you could say "This is going to go horribly wrong", it all went horribly wrong and login details were posted across various forums.

The post it notes summary of events can be found here; a thread on the official forums lies this way and if you'd rather take in the full horror of an entire game being put through the wood chipper then check out this blow by blow account. The game is now back up and running, but we have what may be the final game developer of 2011 to join the "Whoops, we were hacked" company of Sony, Square Enix, Steam, Nintendo, SEGA, Bethesda, EA, Codemasters, Epic and others.

Let's see if the trend continues in 2012, assuming the Mayans don't get us all first...

Christopher Boyd

Steam: All your coal are belong to us

2011-12-30T05:40:00.000-05:00

The rather awesome Steam gaming platform has a festive competition running at the moment - perform certain tasks in a selection of games drawn each day (or sign up to a few non gaming activities like join a forum, or link your Steam and Facebook accounts) and receive a free random gift. I have to admit - I'm not doing very well so far.

Click to Enlarge

That gift could be a redeemable coupon for a free game, a discount or...a lump of coal. All is not lost should you be handed a lump of coal - collect seven, and you can craft it into another randomly selected discount or free game.

Click to Enlarge

This is, of course, where it all goes horribly wrong.

1) Gamers are exploiting the various "Indie Bundle" packs that go on sale periodically. This particular gaming bundle is a "pay what you want" affair, typically stuffed full of great games and additional offers should you pay a little extra (we still need to have that talk, Windows users). The latest Humble Indie Bundle went live not so long ago, and in a mad dash to create as much coal as possible to increase the chances of free games in Steam gamers were paying the base amount for Indie Bundles, redeemable against Steam accounts.

From Platform Nation: "For just 1 penny you can nab yourself a Steam redeemable key, and make your account valid for entry in the Epic Giveaway and the freebie prizes. That means you can create 100 accounts for just $1"

Whoops. They must have really gone to town on that one, given that the mass purchasing caused the price of the bundle to drop by more than 25 cents.

Greedy gamers have also been targeting the "IndieGala Bundle" which gives a separate Steam account for each game - effectively five duplicate accounts for the lowest potential price of a penny. Once you've got your hands on all those wonderful discount coupons and free games, you can potentially gift them to your "main" account and sit upon a throne of murkily acquired titles.

2) With shades of Xbox achievement tampering, people are distributing save files / text files to unlock Steam game achievements needed to win coal / coupons. Here's an example of someone loading up a file not belonging to them, nabbing the required achievement in Binding of Isaac and getting their hands on a free game. That's kind of dreadful, and by "kind of" I mean "completely".

3) Gamers are firing up a Steam achievements modding tool, to ensure they nab as much coal as possible.

Click to Enlarge

Here's someone who clearly went on an "unlock all the things" rampage. As you can imagine, these antics are not proving popular with non cheating gamers.

Coal farming isn't going unpunished, and Valve are starting to clamp down on anyone seen to be farming and / or exploiting. You may well be seeing many more examples like the below on forums posted up by vaguely annoyed gamers who want their accounts reactivated:

Click to Enlarge

If Valve catch you being naughty this festive season, they won't even leave you with coal. Top that, Santa...

Christopher Boyd

Hobbits and surveys: not a good combination

2011-12-22T01:50:00.000-05:00

It's not long since The Hobbit trailer made a lot of people very excited, and already we're seeing fake claims of "watch this movie online" leading to surveys.

For example:

Click to Enlarge

You know the drill - fill in the survey to "view the content", then fail to be impressed by the total lack of content on offer. You'll either see nothing at all, or websites asking you to sign up to monthly fees. Don't fall for it!

Christopher Boyd (Thanks Robert)

Phishers are Back to Target Chase Clients

2011-12-20T06:47:00.003-05:00

Robert Stetson, one of our malware researchers at the AV Labs, found a new phishing scam in the wild.

The scam arrives as an email that directs users to the URL, data-server(dot)host(dot)org/email/protect/chase/.

click to enlarge

After Chase clients provide their credentials into the fields of the purported legitimate bank page and click Log on, they are then directed to another UI where they are to enter their email address and its password.

click to enlarge

Chase clients, please be duly warned about this. For the rest, please delete from your inbox doubtful mails that purport to come from banks (including yours). If you received an email from your bank about your account, confirm with them via customer service.You know what they say: Better safe than sorry.

Jovi Umawing (Thanks to Robert)

"Curious Who's Stalking You?" - Yes, we've heard it before

2011-12-16T07:15:00.003-05:00

This social media "stalking" thing, to the best of my knowledge, all began on MySpace. We've seen them emerge on Twitter, too: our friends at Sophos wrote a so-called "app" that Twitter purportedly released to track a user's stalker. Only this time, no such app is ever involved.

click to enlarge

We've seen the tweet above pointing users to the URL, canbin(dot)ru—a domain created just late last month. Once users click it, they are then directed to twvitter(dot)com/user_login-sessions/?timed_out=1. It's a phishing page.

click to enlarge

There are two things we can take note from it: (1) the URL, which clearly tries to play tricks with our eyes (much like this one), and (2) the purported Twitter session that has timed out. Naturally, if one is logged onto Twitter and sees the message, they'll wonder for a second, and then unknowingly key in their user name and password anyway. Perhaps the only "error" we can see in this attack is that the site attempts to access the actual Twitter site the same way a real third-party app or site would to make everything seem legit. However, Twitter requires tokens from such apps and sites. Since we know that this is a bogus page, it doesn't have a token; thus, it can't successfully redirect users to their actual accounts as it was supposed to.

click to enlarge

We impore you, Dear Reader, to please exercise caution when clicking links on tweets. Even better: use your better judgment on whether you'd believe a supposedly interesting tweet or not before considering visiting the URL that goes with it. More often than not, scam tweets are designed to sound this way to actually make Internet users click them. Please don't be fooled.

Just like the "Girl Killed Herself" scam that made rounds within Twitter not so long ago, this, too, will probably go down in history as a classic attack involving two social networking giants. This is not a comforting news. As long as user continue to fall for scams, they will just keep coming.

Jovi Umawing (Thanks to Chris for spotting this)

Protecting Against DDoS is Probably THE Best Holiday Gift to Give Your Company

2011-12-14T06:19:00.001-05:00

For the lot of us who rely on the Internet to get news updates, we are made familiar with Distributed Denial of System (DDoS) attacks. Anonymous being on the headlines continuously for months made this kind of online crime conspicuous, even ushering it unexpectedly to the realm of mainstream.

DDoS attacks have been used not just by the aforementioned group but also by other groups and individuals for various reasons: making a stand for what they believe in, showing support for the beliefs of others, or doing it "just because". We can't deny the fact that names of companies that fell prey on DDoS attacks were huge and they encompass industries, but one cannot totally eliminate the very likely possibility of small- and medium-sized businesses being targeted as well.

Those whose businesses have an online presence are aware and worried, and if possible, they want to be protected from DDoS attacks. So how can this be done? InfoWorld published an article that tells business people just that. You can check it out here.

Jovi Umawing

Adblock Fuss

2011-12-13T13:47:00.000-05:00

I'm a big fan of Adblock Plus - it's a great add on if you don't want to be hit over the head with any number of spinning, flashing adverts torn straight from the pages of Dante.

However, an interesting change has been made to the program with the release of 2.0 and some users are up in arms about it:

Click to Enlarge

"Adblock Plus has also been configured to allow non-intrusive advertising. You can change this selection at any time in the filter preferences."

Blasphemy? Madness? Sparta? Who knows, but we now have a situation where users aren't happy about the opt in by default setting, or indeed approving adverts in general no matter how limited the scope. There's a page on the Adblock Plus site that outlines some of the reasons for this change:

"You can allow some of the advertising that is considered not annoying. By doing this you support websites that rely on advertising but choose to do it in a non-intrusive way...In the long term the web will become a better place for everybody, not only Adblock Plus users. Without this feature we run the danger that increasing Adblock Plus usage will make small websites unsustainable."

As for why this is set live by default:

"If we ask users to enable this feature then most of them won't do it — simply because they never change any settings unless absolutely necessary. However, advertisers will only be interested in switching to better ways of advertising if the majority of Adblock Plus users has this feature enabled."

I'm not entirely convinced that advertisers so fond of flashy, spinning adverts from the back of beyond will tone their adverts down just because of this move - and hey, let's not forget that adverts meeting the requirements to be potentially given the green light ("static ads, text only, no attention grabbing images") can be just as dangerous if not more so than the flashy horrors still on the blocklist.

One good thing that may come out of this move is a possible reduction in infections. No really, hear me out. I know a lot of people who have told me they never installed Adblock Plus or similar programs because their income was primarily driven by dedicated communities, and they wanted to put something back into those communities by not blocking their (static) advertisements. For example, a professional comic artist or writer is supported by their community; as a thank you, they won't block the adverts on the sites belonging to their fans or webcomic rings.

As a result, quite a few of them were hit by drive by installs and exploits while browsing the web with no ad blockers in place.

If the Adblock Plus team do a good job of this, it might actually encourage more people to now try the program and let a few (hopefully harmless) adverts through while using their new found installs to block malicious adverts elsewhere with a clean conscience.

That can only be a good thing. However, much will depend on their examination of the approved advert networks, their advertising methods, the kind of links those advertisers allow (and how they react to the bad apples that slip through the net) and whether or not the userbase approves of the opt in by default setup.

We'll have to wait and see how this one plays out...

Christopher Boyd

Blackhole Exploit Hones in on Amazon Users

2011-12-13T09:58:00.001-05:00

Last week, our friends at ThreatPost posted about the ever-growing infection of websites hosting Black Hole Exploit Kits. A Black Hole exploit takes advantage of unpatched Windows operating systems. It also targets other software, such as Java and Adobe Reader, that can be installed on Windows platforms, which are a lot. Since the kits are already available in the black market (for free), we can only expect more infections and news surrounding this particular kit.

And, oh: Facebook users should watch their backs, too.

Our malware researchers at the AV Labs, Robert and Matthew, has seen something in the wild that might spoil the holiday spirits a bit. It began as an email message supposedly from Amazon with the subject "Your Amazon.com order of Omron WXH-108F Fat Loss... has shipped".

click to enlarge

Clicking any of the links on the email body directs users to jongerencentrumdebus(dot)nl/wp-content/uploads/fgallery/news.html, a likely compromised site, and then directs to ageoloft(dot)info/main(dot)php?page=525447c096f8efbf, a known Black Hole Exploit Kit host.

click to enlarge

The said ageoloft(dot)info automatically downloads a .PDF file (an exploit) onto systems. This then exploits Adobe Reader to run malicious executable files on these systems. Furthermore, a worm, which GFI Software detects as Win32.Malware!Drop, is downloaded onto systems.

We detect the exploit page as Trojan.JS.Obfuscator.w (v); the PDF file that is part of the kit, Exploit.PDF-JS.Gen (v).

With the number of Internet users shopping online using services such as Amazon and eBay, it pays to be cautious fourfold, especially at this time of the year. Criminals know when and how users—you—spend their time there.

Jovi Umawing (Thanks to Robert and Matthew)

More bad ads in Bing, Yahoo search

2011-12-09T12:09:00.001-05:00

Another round of bad ads in Bing and Yahoo search are making an unwelcome return. Bing has fake Firefox adverts:

Click to Enlarge

Yahoo has fake Adobe Flash adverts instead, located at gripwise(dot)com(dot)au/player/:

Click to Enlarge

As you can see from the below screenshot, the Gripwise URL where this is located appears to have been compromised:

Click to Enlarge

Both sites will give you the Privacy Protection rogue, and the domain used for the fake Firefox download (ipropertyoffice(dot)com) has active exploits so please steer clear. VirusTotal scores weigh in at 17/43, and we detect as Win32.Malware!Drop.

Click to Enlarge

At time of writing, Microsoft have been notified and have said the adverts have been pulled. All the same, be very careful when clicking on sponsored adverts for common downloads such as Firefox, Flash and others. As we've seen time and time again, scammers are all too eager to push malicious files on unsuspecting users.

Christopher Boyd (Thanks Matthew)

Holiday Horrors: food stamps, phish and PDFs

2011-12-07T20:24:00.000-05:00

Our monthly Top Ten threat detection report for the month of November is now available to take a look at, along with information on some of the scams we've seen these past few weeks including emails tempting users with infected PDF files, food stamp shenanigans involving mobile phone services and phishing emails containing HTML form attachments, some of which are still doing the rounds.

The Top Ten can be viewed here.

"For your protection, your Barclays account has been suspended..."

2011-12-07T20:08:00.000-05:00

If you see an email arrive in your mailbox with the above title, feel free to discard it - nothing good will come of it, unless your idea of "good" is "filling in all of your personal information into a fake banking webpage then sending it to a scammer."

The missive is sent from a free Yahoo email address, and works along the same line as these scam mails from a few weeks ago.

Click to Enlarge

They claim your account has been suspended due to a large number of incorrect login attempts, and reactivation is a case of filling in the attached form before the 9th of December - otherwise your account will be disabled. With a fake time limit imposed on the customer, they open up the attached HTML form and see that it asks for an awful lot of information. Name, membership number, passcode, date of birth, mother's maiden name, address...

Click to Enlarge

Of course it gets worse. Before you know it, our panicked bank customer is filling in their sort code, account number, telephone banking password and the three digit security code from the back of their card.

Click to Enlarge

Once all of this is done, hitting the "Next" button submits the data to the scammer then redirects to the Barclays website. Please avoid mails such as the above and keep your money where it belongs - your bank will never email you asking for account information (and they certainly won't email you from a free webmail account!)

Christopher Boyd

"Steam Birthday" crashed by party poopers

2011-12-05T07:22:00.001-05:00

Here's a rather amateur phish targeting Steam users, located at steambirthday(dot)com. No birthday prizes for guessing what this scam is all about:

Click to Enlarge

You know you're dealing with a special kind of phish when the opening ramble begins with "Steam is 3 years old: the Steam project started in 2003" and "In a really short time our servers became more and more and today there are more than a thousand meters of them".

According to the website, Valve - the creators of Steam - are giving away "1000 Gold accounts, which will allow you to play all 72 games for free" (Steam actually has 1,400+ titles available for download). Hitting the gold coloured "Upgrade now" button takes the end-user to a brilliantly convincing phish page. Or, to be more accurate, it takes them to missing images and screwed up HTML code:

Click to Enlarge

The site is already flagged in Chrome as a phish page, and hopefully IE and others will follow suit soon. For now, let's hold off on the birthday celebrations.

Christopher Boyd

New Facebook Worm in the Wild

2011-11-29T05:26:00.001-05:00

Our friends at CSIS, a Danish security company, has spotted a worm spreading within the Facebook platform. In a recent news article penned by Peter Kruse, the worm is said to be "a classic" one in terms of how it infects Internet users: uses stolen credentials to log in to Facebook accounts and then spam contacts. The message is said to contain a link to a file purporting to be an image—Screenshot of the file shows it has a .JPG extension—but it's actually a malicious screensaver. Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems.

The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare.

Please keep in mind that securing your information, including your social network credentials, is a must. Never unknowingly click links on messages sent over by online contacts. Make sure that they did send messages to you first before doing something; else, it is best if you simply delete them from your message inbox.

Jovi Umawing

FakeScanti Rogue Hijacks HOSTS Files

2011-11-28T17:17:00.004-05:00

Patrick, our resident rogue AV expert from the AV Labs, have his eyes set on one particular family—FakeScanti. This rogue family first appeared in the first quarter of 2010, and it has been within the radar ever since.

Enter AV Protection 2011.

This particular rogue is the latest variant in a handful of noteworthy rogues within the FakeScanti family. What's interesting about it is that it modifies the infected system's HOSTS file upon execution, a capability common to backdoors and worms. AV Protection 2011 directs users to 46(dot)4(dot)179(dot)109, a malicious IP in Germany where AV Secure 2012, another FakeScanti variant, is housed. It does this when users enter either google.com, yahoo.com, bing.com, or facebook.com in the Internet browser address bar.

click to enlarge

Internet users can encounter this rogue if they are led to pages via search engine optimization (SEO) technique or via a spammed link where, once visited, downloads a Blackhole exploit kit where this rogue AV is bundled with. We detect AV Protection 2011 as Trojan.Win32.FakeAV.IS (v). We can also detect and clean the modified HOSTS.

If you may recall, this isn't the first time HOSTS files are hijacked by criminals to dupe users in so many ways. In this particular situation, phishers modified the HOSTS to direct users to fake pages of popular banks, such as Bank of America and Citibank, whenever they key in the legitimate bank URLs in the address bar.

Users are advised to be wary of clicking links in emails. If you didn't contact the party that sent such mails, it's always best to not bother yourself with them and delete them from your inbox. Be careful with how you do searches online as well, since the criminals behind rogue AV are still banking on the old yet very effective SEO technique.

Jovi Umawing (Thanks to Patrick)

"Così fan tutte"

2011-11-28T11:05:00.000-05:00

A company who make installers distributing the software of third parties recently contacted us to query a detection. As it turns out, their installer was not the problem - they were partnering with a company whose toolbar continues to have a history of misleading and deceptive installs.

The interesting part of all this was the discussion over how the programs caught the attention of the end-user in the first place. Here, it was big green download buttons on download sites that looked (for all intents and purposes) like the button the end-user should click on to begin their desired download. Instead, it would take them to vaguely named installer files. Examples of said buttons:

Click to Enlarge

As a response, the basic argument set forth was "We want to be clean, but it's so difficult when everybody else is doing whatever they can to snag an install over a company attempting to play by the rules". On the surface of it, this would seem to be the case - pre ticked checkboxes, dubious installers and poor notification inside the programs we download are bad enough, but poor choice of advert placement (and adverts that themselves look like Facebook notification prompts and other elements that would fool a regular web-user) muddy the waters still further.

You can see these on everything from search engines to garden variety adverts on any number of websites you care to mention, and as social networks continue to grow in influence so too do 2.0 themed adverts continue to vie for your attention.

Disappointingly, the bulk of the case set forth boils down to "everyone else is doing it". Here are some of the examples they sent over:

Click to Enlarge

Above you can see a rather large green tick and a "Download now" button which completely overwhelm the simple text link that happens to be the one the end-user is looking for.

Click to Enlarge

The above example has a rather prominent (and unrelated) download banner at the top and another download link off to the right - personally I don't feel this has as strong a case as the first example, although three green download buttons on the same page is always going to cause confusion for somebody.

Click to Enlarge

Above, we can see the actual download button fairly dwarfed by a larger one off to the right. Much like the other two, you can bet this has resulted in a number of "Wait, what?" style downloads.

None of this is new, of course - you can easily jump back to 2008 or earlier and see the same sort of thing taking place on Facebook application installer pages. It's worthwhile advising relatives you suspect will wander into these setups to be on their guard, because as far as many companies out there installing Adware and other products are concerned it's a case of Così fan tutte.

Christopher Boyd (Thanks Eric)

"Rogue browsers will make a comeback on the mobile platform."

2011-11-24T09:29:00.001-05:00

We've seen it here first: YapBrowser has risen after being declared dead five years ago—and this discovery is by Chris Boyd himself just a day before he presented at VB 2011 to discuss about rogue browsers, of which YapBrowser is.

If you missed the said conference or Chris's presentation, this podcast hosted by our friends at Help Net Security contains a comprehensive, lightning talk from Chris about rogue browsers, their history, their numerous payloads, and the possibility of them plaguing smartphones.

Not long ago, our friends at Trend Micro spotted the first rogue browser for Windows Mobile, Symbian OS, and Android phones, disguising as Opera Mini, a popular Web browser for mobile phones. This could be the start of a new trend. What we're sure of is that fake browsers are still out there, even if under the radar and on different platforms.

Jovi Umawing

Phish for Thanksgiving?

2011-11-23T16:51:00.016-05:00

Over the previous few days, our research team here at GFI has noticed an uptick in bank phishes winding up in a few of our spam traps. This particular scam is unique in that it comes with an html file attachment which leads to a form that attempts to steal from the unsuspecting victim all types of identifying information from the standard pin and password to their Driver’s License number and even a (fake) description of the last transaction made on the account.

As of this posting, we have seen e-mails targeting Bank of America and SunTrust customers and surely more will follow.

As always, please be wary of e-mails from financial institutions asking for identifying information. When in doubt, call the official phone number listed on the back of your credit card or the known customer service line for your bank.

So, while "fish" was likely a staple eaten during the days of the pilgrams, we here in the lab are going to stick to good ol' turkey this year.

Stay safe,

Robert Stetson
Malware Research Team

VIPRE Black Friday Special

2011-11-22T17:01:00.002-05:00

Here at GFI, we’re dedicated to providing quality antivirus software at exceptional values, and this Black Friday is no exception. Our Black Friday Sale features the biggest discounts of 2011 – up to 75% off.

Black Friday Sale

VIPRE Antivirus 2012 for $39.95 NOW $9.95!
VIPRE Internet Security 2012 for $49.95 NOW $19.95!

With prices this low, you can give the gift of PC security to Grandma, your sister, even that crazy uncle. Is Santa bringing a new laptop this year? Make sure he installs VIPRE on it first! It defends against viruses, worms, spyware, Trojans, rootkits and other Internet threats without slowing down your new (or old) PCs. The VIPRE 2012 editions feature the latest threat definitions and are easier to install and use than ever before.

This weekend’s VIPRE Black Friday Sale makes it easy and affordable to keep your family safe online this holiday season (and in years to come). So take advantage of the lowest prices of 2011 while the deals last.

From porn stars to strippers: careful with name games

2011-11-22T07:13:00.001-05:00

Way back in 2009, Sophos covered a bit of viral "fun" on Twitter where users of that service revealed their "porn star name" - comprised of your "first pet" and your "first street".

Well, look what's back in marginally altered form and racking up 8,000+ reblogs on Tumblr:

Click to Enlarge

Or, you know, don't. Stop and think how many services still ask for your pet name and street name on things such as password reset questions. Then pause to consider an email address you use may be public facing, and have just such a question bolted onto it.

You may want to keep your clothes on and stick to the day job at that point...

Christopher Boyd

Tumblr typo leads to iPad offers

2011-11-17T08:07:00.000-05:00

Here's a curious instance of a URL similar to "Tumblr(dot)com that seems to have been around for a while, capitalising on any typo happy Tumblr user eager to post up an image.

Skyrim - yes, this thing - has been a big deal on Tumblr of late and I noticed when clicking on the below image that it bounced me to an offers page rather than whatever the blogger thought they'd linked to.

Click to Enlarge

You'll note the correct URL - ending in "Tumblr(dot)com" - is in the highlighted blue box on the right. However, the blogger has attempted to enter the same URL in the "image clickthrough" box highlighted in red but managed to type littlemenbeingerased(dot)tumbr(dot)com instead. See that?

Tumbr(dot)com. One missing "l" makes all the difference!

An enterprising individual in China is responsible for that domain, and clicking the image makes this happen:

You're taken from the Tumblr blog to a site called "video-reward(dot)com, via a URL cloak website called "Secredir(dot)com".

Click to Enlarge

At this point, all the free iPads in the World can be yours.

Sort of.

Click to Enlarge

This one costs "£3 per message", though they go to great pains to point out that this isn't a subscription service. I think I'd still rather skip this one either way.

The Tumbr URL has been around since 2007, although a quick check of the Internet Archive shows it's been flatlined since creation - nothing but generic landing page adverts for years. It only seems to have been reborn sometime in 2011, redirecting people to the Video-reward site that's been registered since 2011.

Considering how popular Tumblr is, the owner of Tumbr(dot)com could be coining it in if even a small percentage of users are accidentally filling their blogs with it. Let's be thankful it's just offers and not malware...

Christopher Boyd and Jovi Umawing

October Threats Bank on User Inexperience and Carelessness

2011-11-14T00:26:00.001-05:00

This is what GFI Software Senior Threat Researcher Christopher Boyd has revealed on Thursday, November 10, after the release of VIPRE Antivirus 2012 in the US and UK. He continues: "They count on users being too excited by an exclusive offer or too trusting of online advertisements to do their due diligence. Whether users are downloading software or inputting personal information online, they should always do everything they can to verify that they are visiting a legitimate website and not a well-crafted forgery."

The complete report on this plus reminders on how to stay safe online as Black Friday and Cyber Monday draw near and the top 10 list of binary threats in October is found here.

Jovi Umawing

PDF Malware is Back in Season

2011-11-10T14:38:00.001-05:00

Avid readers of the GFI Labs blog can attest that they're no strangers to this kind of attack: one receives an email purporting to have come from a legitimate company with an attached Adobe .PDF file claiming that it's either a receipt, a document, or a ticket. Claims of what the attachment is supposed to be varies, but what remains consistent is that the email always instructs recipients to open it and / or save it on their computer. What happens more often is that systems get infected and users are left wondering what happened.

Case in point—

click to enlarge

Our researchers in the AV Labs have been seeing an uptick of this particular campaign, which pose as a message from the United States Postal Service (USPS) and bears the subject "Package is was not able to be delivered please print out the attached label". The message body reads as follows:

Hello!

Unfortunately we failed to deliver the postal package you have sent on the 19th of September in time because the recipient's address is erroneous.

Please print out the shipment label attached and collect the package at our office.

United States Postal Service

{long line of unreadable characters}

Here is what the attached file looks like once downloaded onto a system:

When executed, it connects to the IP address, 91(dot)221(dot)98(dot)29, and downloads the file named step.exe, which is a variant of FakeSysDef, a rogue malware. It also checks on the following websites, all of which are from Russia:

followmego12(dot)ru
hidemyfass87111(dot)ru
losokorot7621(dot)ru
mamtumbochka766(dot)ru

Doing site checks could mean a lot of potential actions this malware might do, like downloading other binaries / components onto the infected system, updating a copy of itself, posting information to these sites, or waiting for commands from its controller. As of this writing, the file does not download other binaries or additional component files. Fortunately, we detect this malware as Trojan.Win32.Generic!BT.

As always, steer clear from these kinds of emails, especially if you haven't made transactions with such companies. When in doubt, double check with the supposed sender by calling their office for confirmation, but do not reply to the sender's email address. With Black Friday and Cyber Monday (not to mention Cyber Weekend and the holiday season) just around the corner and majority of the people everywhere are shopping online, it is wise to expect such attacks to multiply further in the coming days and weeks. Such an attack is not new; however, many are still falling for it. It's time to wise up.

Jovi Umawing (Thanks to Matthew, Robert, and Adam)

Skyrim Scammery

2011-11-10T12:34:00.000-05:00

Everybody loves dragons, and everybody really loves hunting these endangered creatures through their natural habitat before plunging about five hundred spears into their evil, cattle stealing hearts.

And so it came to pass that Skyrim would be released this weekend. It also came to pass that people would make fake websites and try to convince Elves, Orcs and vertically challenged guys with axes to fill in surveys and install things in return for free games which never materialise. Hitting the download buttons on all of the following sites will present the end-user with various surveys, offers of Adware and the occasional +10 damage modifier.

Searching for "Skyrim download" in Google gives us results as early as page one promising riches but delivering bundles of Rocks Fall, Everybody Dies:

Click to Enlarge

"The Elder Scrolls V: Skyrim full version download for free", claims Mashgaming(dot)com. Hitting the link takes you to another website - links(dot)downloading(dot)im - and serves up Ye Olde Survey Box:

Click to Enlarge

Here's another example of the same site, but this time presenting an Adware installer:

Click to Enlarge

Elsewhere, there are the typical Youtube scams you've come to know and hate, or at least roll your eyes at:

Click to Enlarge

I think they really want you to fill in those surveys. As the launch date for Skyrim is 11/11/11, you can bet there'll be the usual gamut of scams similar to the above doing the rounds - and the Mashgaming site listed above is now the second result in Google UK for "Skyrim download".

Click to Enlarge

Somewhat spectacularly, they nudge an official download site - Direct2drive - into third place with empty promises of games, goblins and gold.

And you still won't have killed any Dragons.

Christopher Boyd (Thanks Matthew)

S.N.A.P. Scam Will Make You Snap

2011-11-07T10:18:00.002-05:00

It's no real surprise when we see how scammers ply their tricks online in order to dupe practically anyone. They leave no room for distinction with regard to who they target. And why would they? When it comes to online fraud, everyone is a cash cow, even those with little to live off of.

Our AV Labs took a closer look at the website, snap(dash)help(dot)com/step/go/1/0, that is posing as the domain for Supplemental Nutrition Assistance Program (S.N.A.P.), otherwise known as the Food Stamp Program. It's a "federal-assistance program that provides assistance to low- and no-income people and families living in the U.S. Though the program is administered by the U.S. Department of Agriculture, benefits are distributed by the individual U.S. states." Here's an overview in Wikipedia.

click image to enlarge

When Internet users enter a ZIP code in the field provided, they are directed to a page where they can register their details. After this, they are taken to another page, asking for their mobile numbers:

click image to enlarge

Users who give out their mobile numbers will be subscribed to a premium SMS service. Should users have skipped entering their details in the registration page, they are then led to this page, which persists on asking for their mobile numbers...

click image to enlarge

...and one can only wonder why this is without informing users why they have to enter this detail or how it will be used.

"The entity responsible or the cellphone scam ad is gtoffers(dot)com—GameTheory, LLC, the same folks behind Social Ribbons and OpenInstall," said Eric Howes, Security Product Manager at GFI. "GameTheory, LLC is the company responsible for the blitz of Zugo—installing Zombie Me / Vampire Me / Make My Baby ads on Facebook...until Matt Cutts exposed the operation."

An insightful exchange regarding the relationships of the above-mentioned companies can also be read and followed in that exposé.

This is not the first time something like this happened and who knows how many more are out there.

If you want to avail of the SNAP program, visit this page instead. Notice the ".gov" extension of the domain? That's the legitimate government site, while the dodgy one is evidently a ".com".

We implore to users to be careful and be sure that the sites they're visiting should only be legitimate ones. Scam sites are at large in the Net. While scammers will take the deplorable step of targeting those less fortunate, there are plenty of online sources where free advice and assistance can be found.

Jovi Umawing (Thanks to Eric and Matthew)

Is RiRi in the Headlines Again?

2011-11-07T08:32:00.002-05:00

Fortunately, this is not the freshest Rihanna scoop you've missed on TMZ. It's a Facebook post I just found that set the alarm bells in my head, so I set out to investigate.

Clicking the link of this supposedly scandalous video leads to this page (Note that the URL is already something outside of the said social networking site, which is ezreality(dot)tk/):

click to enlarge

Clicking the play button of the player displays a text on the screen which says:

Restriction: To start the video, please share it again and click the >> play << button

If users click the Share button, they are sent to the legitimate Facebook login page where they can enter their credentials if they're not logged in. If they are, a browser window opens to show them exactly what will be posted on their Facebook wall.

click to enlarge

Sharing this video, as it turns out, is not an option. If users ignore the text displayed on the screen and click the play button the second time, a window pops up to remind them that they have to share the video before it can be played. There's no way around this one.

Once shared and the the play button is hit, users are led to a video of Rihanna overlaid with a survey:

click to enlarge

Survey scams have been plaguing Facebook users for the longest time, and scammers never fail to get someone to click on their links—and a lot of users are falling for these. It's not that the scammers' technique is sophisticated enough. It's how they socially engineer scams to make them too interesting for anyone to pass up. Below are a just few of these scams on this social networking site that we've spotted:

We encourage users to abide by this general safety rule when browsing Facebook: Refrain from clicking links, especially those that come with a video, from anyone on your stream that has a titillating, if not controversial, hook. More than likely, it's just bait for something nasty in the end.

Jovi Umawing (Thanks to Chris for the assist)

With Rogue AV, It's More Than a Game of "Spot What's Different"

2011-11-02T10:49:00.000-04:00

Rogue AV has been one of the biggest profit-generating schemes for cybercriminals since its inception. These past few months, however, our team in the AV Labs has seen a decline, and this is due to a combination of factors, including continued coverage of these scams in non-technical news sources, efforts on the part of the security community, and law enforcement continuing to combat rogue AV scams around the globe.

As they have many times before, cybercriminals are changing their tactics, but I doubt they’ll abandon rogue AV entirely. Considering the expertise they’ve developed for black hat SEO (BHSEO), it’s wise to always be on the lookout for rogues whenever a hot topic arises.

Our researchers also are observinge sites distributing fake AV via toolbars, video players and other misleading, fraudulent installers aside from the plain “vanilla” installs we’ve seen in the past, proving as long long as cybercriminals continue to profit from a scheme, they will stick with it.

The decrease we’re seeing may very well be temporary, but it’s really too early to say. Remaining vigilant ourselves and aware of what’s new with fake AV is the best way to keep users from falling victim. However, with increased awareness, I believe scammers will be forced to change tactics yet again, potentially in more radical ways than we’ve seen before to ensure end-users continue to be tricked.

click to enlarge

Pretty convincing, right? Are you confident that all the employees in your organization or all the users in your household would know that their PC has been infected and that’s not a legitimate AV program offering them advice and asking for their credit card?

And remember not everything with a snake logo is legit. Below is an example of a rogue AV trying to mimic VIPRE Antivirus:

When it comes to VIPRE, accept no substitute.

Below is an exclusive first look at VIPRE Antivirus 2012 and VIPRE Internet Security 2012, released today in the U.S. and U.K..

click to enlarge

Getting familiar with the actual, legitimate names and interfaces of AV software you, your business and your family use is one way for users to spot a fake. And cybercriminals generally target those who are not in the know.

The fight against online threats is a community and individual effort. GFI Software, together with other AV and security companies, is striving to keep the Internet a safe place. We encourage users to do their part. For users who become infected with rogue AV, GFI tracks the latest variants on its Malware Protection Center blog. There, users can find more information, screen shots, and removal tips.

Jovi Umawing

Arkham Shifty

2011-11-02T05:06:00.001-04:00

Hey look, a new Batman game. Would it surprise anybody to find Ye Olde Scam Sites touting fake Downloadable Content Generators that want you to fill in a survey before downloading them?

Not really, but here's a site claiming to give away free "Play as Robin" codes anyway located at robincharacterdlcfree(dot)info.

Click to Enlarge

As with every type of scam like this ever, you're offered (fake) programs that supposedly unlock download codes for both XBox and PS3 versions.

Click to Enlarge

Click the "Download now" button, and you're taken to the below survey offer.

Click to Enlarge

Humorously, this one offers a "PDF download" guide to assist you in redeeming your code - but clicking that link also takes you to survey offers. In all cases, websites such as the above should be avoided - they're just pushing dummy files or infections.

They're the scams Gotham deserve, but not the ones it needs right now. So we'll hunt the close browser button.

Christopher Boyd (hat tip to "BatMannon". No, really.)

A little too chatty?

2011-10-31T15:08:00.000-04:00

There's a program called ChatSend currently doing the rounds on Facebook, and at time of writing just over 114,000 people have hit the "Like" button which no doubt means a high proportion of that tally have downloaded and installed it. Including one in my stream—

The link directs to the Facebook page of ChatSend where one can readily download the app. Upon execution, it shows a GUI containing its Terms of Service and Privacy Policy. The GUI, however, is narrow and the text is not wrapped within the width of the text box, which makes it difficult for users to read as they need to scroll from left to the farthest right.

click to enlarge

Note the pre-ticked boxes that will install the toolbar in all browsers, set web search as default and change the homepage.

After installing, a window pops up to inform users that there has been an error in installing the program; however, it installs just fine.

click to enlarge

Not only does the program send the message seen in the first screenshot without notification, it also sends the same message via Facebook chat (if enabled) to all, too.

Interestingly, the EULA fails to detail the steps on how to uninstall the application should users change their mind about it when it was clearly stated:

"If you wish to withdraw your consent to any of ChatSend features as described herein, you should uninstall the Software from your computer. Uninstall instructions are detailed above."

As far as we can see, there are no instructions "detailed above". The uninstall steps are in their Facebook page (added yesterday) under the FAQ tab when clearly it should be included in the EULA. Despite this, uninstalling simply requires a visit to Add / Remove programs, or opening up the browser add on tabs in your browser of choice.

Do keep an eye on this one, Dear Reader, because Facebook blocks any URLs / links related to the ChatSend domain and there's quite a few posts like this starting to appear on help pages.

Jovi Umawing (Thanks to Chris for the assist)

Then: "co.cc", Now: "ce.ms"

2011-10-30T17:00:00.000-04:00

Not all netizens were happy when Google decided to pull the plug on "co.cc" domains last June, but it's a resounding win for those in the security industry. It had to be done as cybercriminals are creating free domains with the "co.cc" extension by the bulk to house and distribute their nasty binaries and fake AV.

Late last week, our friends at Zscaler discovered that cyberciminals have now moved to hosting their wares on "ce.ms" domains (.ms being the top-level domain for Montserrat, an island in the West Indies). A simple Google search led me to several forums and personal blog posts as early as June of this year complaining about getting fake AVs from such sites, with the Zscaler discovery looking much more complex.

Of course, not all websites using free domains are malicious, but they are popular with those looking to infect your PC so please be careful if you see a suspicious looking URL combined with a free domain or you may end up with more than you bargained for.

Jovi Umawing

Shop 'Till You Realized You Got Dropped On

2011-10-27T12:21:00.002-04:00

From: info@eteam.org
Subject: {Definitely Spam?} SECRET SHOPPING JOB AVAILABLE/URGENT REPLY NEEDED
Message body:"We have a mystery shopping assignment in your area and we would like you to participate"

Secret Shopper(R) is accepting applications for qualified individuals to become mystery shoppers. It's fun and rewarding, and you choose when and where you want to shop. You are never obligated to accept an assignment.

There is no charge to become a shopper and you do not need previous experience. After you sign up, you will have access to training materials via e-mail, fax or postal mail.

ABOUT US

Secret Shopper(R) is the premier mystery shopping company, serving clients across America with over 500,000 shoppers available and ready to help businesses better serve their customers. Continual investment in the latest internet and communication technologies coupled with over 16 years of know-how means working with Secret Shopper(R) is a satisfying and rewarding experience.

Secret shopping as seen on ABC NEWS, NBC NEWS, L.A.TIMES.

Stores and organizations such as The Gap, Walmart, Pizza Hut, and Bank. One amongst many others pay for Secret Shoppers to shop in their establishments and report their experiences. On top of being paid for shopping you are also allowed to keep purchases for free. Secret Shopper(R) NEVER charge fees to the shopper. Training, tips for improvement, and shopping opportunities are provided free to registered shoppers. Mystery shoppers are either paid a pre-arranged fee for a particular shop, a reimbursement for a purchase or a combination of both.

You will be required to interact with the shop clerk.

You may conduct the shop alone or as a couple.

The assignment will pay $200.00/ Assignment

Kindly Fill Out the application form below and we will get back to you shortly with the assignment to this email

PERSONAL INFORMATION:

First Name:
Last Name:
Street Address:
City, State, Zip Code:
Cell Phone Number:
Home Phone Number:

AVAILABILITY:

Days/Hours Available

Monday .............................................
Tuesday .............................................
Wednesday .............................................
Thursday .............................................
Friday .............................................
Saturday .............................................
Sunday .............................................

Hours Available: from _______ to ______

We await your urgent response.

Thank you for your help.

We look forward to working with you.

Sincerely,

Frank James
Secret Shopper(R)

If you've received the above email in your inbox and thought to yourself, "This is a scam!"—you are right. It's a 419 scam that gives off that too-ludicrously-good-to-be-true vibes and doesn't really want you to be a secret shopper but would love to have your money, if not information that personally identifies you, which is exactly the case for this particular scam.

There's nothing generally new about this one since it began making its rounds in the later part of 2010 apart from the "{Definitely Spam?}" on the subject line, as if challenging recipients to suddenly question their earlier conclusion of it being something other than legitimate.

Don't fall for it. Don't fall for it. Don't fall for it.

Despite the abundant and readily available information on the Web, people are still ending up victims to such scams. And, sadly, the worst thing that could happen is that in the end, someone other than the victim pays the price. These false promises scammers make may seem irresistible to pass up, but believing an email from someone you don't know who offers to help you make money in exchange for your information (but more often than not, money) should be a cause for alarm.

So how does one spot a 419 scam? There are a lot of articles available on-line for that, too, but I think this is more complete than the rest. It's quite an old post but still holds some wisdom. Here is a more straight-forward FAQ page.

If you suspect that you received is a 419 scam mail, ignore or delete it from your inbox. If you want to be more proactive, check out this page for who to report it to. Most importantly, tell your friends and family members about this scam.

Jovi Umawing (Thanks to Wendy)

Honing in on Child Security

2011-10-26T12:50:00.000-04:00

The Internet Watch Foundation (IWF) is an organization formed and is based in the UK that basically aims to protect children from "child sexual abuse images online", in partnership with the netizens and the police. Today, October 26 marks the 2011 IWF Awareness Day, a day of taking part in reaching out to people via the Internet and other media to inform people that there is a contact / hotline they could actually connect with to report "criminal on-line content".

Organizations, such as IWF, are not the only ones who can do something to keep children safe on-line. Parents and every adult are and should be the prime movers of this great effort. I've listed here other risks and dangers children might encounter whenever they go on-line, apart from the usual age-inappropriate content we're all too familiar with:

(1) Web threats that are under the radar. This is especially true in social networking sites that young people frequent to more often. Since such sites are all about socializing and sharing, it is always possible for anyone to share links to locations where children could divulge their personal information or lead them download malware onto the system. The threat may also come in the form of advertisements, widgets, and apps served within a domain.

(2) Commercialism in its most crude and intrusive way. A lot of businesses—legitimate or otherwise—now have an online presence. Either way, some of these businesses lure adults and children alike to avail of products and services in exchange for personal information (e.g. filling in an online form) or money. Some of these services may be inappropriate for children, such as dating sites, gambling sites, and the like. The information used in signing up for them can be used for obtrusive advertising via pop-ups, spam, and even identity theft.

(3) Unwanted attention from others. Since the internet is just an extension of the real world, children might bump into sexual predators, bullies, and stalkers on-line without them realizing. It is not at all bad to meet new people, but when one is online, anyone could be whoever they want you to be.

Oh, one more thing: It is also a risk for children to take part or participate in any act of misbehaviour toward others and organizations, and by that we meant (a) they are cyberbullies themselves, (b) they harass other kids, (c) putting up lewd, inept, and generally disrespectful comments, and (d) being themselves the source of on-line threats. These and probably more, they can do because of the anonymity of the Internet. Of course, as we've been seeing in the news, such actions only come back to bite the doers one way or another.

It is of utmost importance that parents and responsible adults are aware of what these threats are so that they can caution children under their care and educate them on how to respond. It is also important that parents and adults know what their children are doing on-line, because the worst possible danger they could get themselves into could be something self-inflicted.

Jovi Umawing

Replication Jails: The Why Before the How

2011-10-24T15:35:00.000-04:00

This is probably one of the coolest podcasts I've listened to of late.

It is presented by Axelle Apvrille, Senior Mobile Antivirus Analyst and Researcher at Fortinet and she discussed how security enthusiasts can create or setup a testing environment called a replication jail for mobile phones while not breaking the bank. To put it simply, a replication jail to a mobile device is what a virtual machine (VM) is to a PC. The similarity between the two ends there, however.

In the cast, Apvrille pointed out that it is difficult to isolate an environment for testing for mobile phones (for security's sake) while at the same time allowing malware to behave the way it's supposed to behave while inside an infected phone (for veritability's sake). Current methods of isolation—like manually removing the SIM, using emulators, and setting up a Faraday cage—in order to prevent the threat from spreading to other mobile phones within a network are found to be flawed, Apvrille said. So in keeping with the objectives of what a testing environment should be, she proposed building up an exclusive operator network using OpenBTS, a free "software-based GSM access point". She explains how this is done here. Check. it. Out.

Jovi Umawing

Where in the World is Razim Al Hamed?

2011-10-23T08:53:00.000-04:00

Here's a Spanish language Facebook scam about the "World's richest man" giving away thousand dollar cheques to anybody that wants one.

You could probably write "Oh dear" and leave it at that, but let's take a peek anyway. Scams involving a chap called "Razim Al Hamed" have been bouncing around since at least 2009, and he's quite the subject of intrigue and mystery - or at least posts on Yahoo Answers. He pops up on Tumblr. He has an interesting set of search results in Google. He's super rich, yet you've seemingly never heard of the guy.

He's appeared on various "have some free money" sites in the past, and will continue to do so but 1000dolares(dot)org is the one we'll look at today.

Click to Enlarge

It'll come as no surprise to you that the "1,374,930 people like this" text is just a faked screenshot. Some of the rest of the page reads as follows (at least according to the nearest translator I ran it through):

"Razim Al Hamed, the world's richest man, is nearing the end of his life and his fortune has decided to share with anyone who requests it. His wealth is being distributed in checks of one thousand dollars to anyone who wants it, free!

Request your check for a thousand dollars here and receive money in the door of your house. Claim your check NOW!

Razim Al Hamed has already sent more than one million checks, hurry to claim yours! Complete all 5 steps are below and receive your check within the next 10 days.

Click on the Share button below and this share this message on 5 different walls of your friends on facebook

Razim to Hamed is giving away $ 1000 checks and keep sending checks to those who ask him! I am asking for my $ 1000 check now, his advantage and ask you a gift and is easy! Come on: 1000dolares(dot)org

Once finished entering all steps to collect your check"

Hitting the "Like" button (or in this case, the Me Gusta button) then hitting the Share button gives us this:

Spread the word, spread the wealth! Or not, as the following popup box puts the brakes on any cash advance from Mr Hamed:

Unfortunately, you won't be getting any money out of this one anytime soon. Anything you see with promises of free money from Mr Hamed should be taken with a mountain sized grain of salt, and that includes his appearances on everything from Facebook fakeouts and blogspot pages to finance forums and Youtube videos.

Now if you'll excuse me, I have a begging letter to write...

Christopher Boyd

VB2011 Presentations

2011-10-22T22:41:00.001-04:00

Click to Enlarge

A few weeks ago we gave a couple of talks at VB2011 in Spain. You can check out PDF versions of the presentations here. Even without the context of the talks themselves there's quite a bit of content there for you to get your teeth into. Our presentations were "Web Browsers: A History of Rogues" and "MUTE - Malware URL Tracking and Exchange", which was a group discussion with Kaspersky, Microsoft and Avira (we also took part in another group discussion, "Operation ShadySHARE - towards better industry collaboration", but the slides for that one aren't online).

Thanks to everyone who came along and listened, it was a lot of fun.

Christopher Boyd

RBC Royal Bank Phish Wading in the Wild

2011-10-21T06:00:00.000-04:00

Our researchers at the AV Labs just netted one of the latest phishing attempts that prey on clients of the Royal Bank of Canada (RBC) or RBC Royal Bank. Below is the screenshot of the email phish being spammed in the wild:

Click to enlarge

This email from "RBC Online" masquerades as an alert notification message regarding a security update. Upon reading the message body, however, it asks the recipient to validate their account with the bank. Like most unsophisticated phishing attempts, this is a bit of an odd one, too, since validating an account has nothing to do with "security updates" or a "scheduled system maintenance". Composition-wise, it doesn't make sense, and it seems that the phishers behind this scam merely used terms and phrases that could get recipients to potentially click their link.

Clicking "VALIDATE" in the email body redirects recipients to tipoco(dash)gps(dot)com/tinymce/rbc/, which should have triggered some alarm bells by now. More than the URL, let us look at the page itself:

Click to enlarge

It looks like a fill-out form one would normally see when attempting to sign up for an account, doesn't it? And if you find yourself asking this question, you'll realise soon enough that this is not the page you expected where you could normally validate your identity. It is a page that simply asks for a lot of personal information and begs answers to specific questions one might have used as hints on other accounts. Furthermore, the page claims that it is secure; however, the absence of the URL access method, "https://", tells you otherwise. The website icon used for this page does not carry RBC's insignia.

Recipients of the email phish is then directed to this "thank you!" page after they fill out the form.

Click to enlarge

As of this writing, the phishing pages are still up.

This isn't the first time RBC Royal Bank is targeted, so never fall for phishing scams such as this one. When in doubt, always look for the telltale signs (the URL, for example) that you might be somewhere you don't want to be in. You might also want to check out this page for another variant of this phish.

Jovi Umawing (Thanks to Wendy for spotting this)

Phishing page hacked, turned into PSA on the dangers of phishing

2011-10-20T01:27:00.002-04:00

Here's something you don't see very often. Someone - perhaps the recipient of the below phishing mail while having a Falling Down style day at the office - decided enough was enough and set out to hijack the phishing site they were sent to.

This is the email that started it all:

Click to Enlarge

"You have exceeded the storage limit on your mailbox.You will not be able to send or receive new mail until you upgrade your email.

Click the below link and fill the form to upgrade your account.

System Administrator"

Clicking the link would have taken you to the below phishing form that asks for Username, Password and Email address (along with password verification).

Click to Enlarge

Now? Well, it looks a little bit different:

Click to Enlarge

The original boxes are gone, replaced by the following message :

"There is no such thing as a central email service update a stupid criminal created this to steal your email account I have modified it to educate you about online crime he does not like that but that is too damn bad you can submit this form to see a helpful video about phishing stop letting stupid criminals like this one hijack your account have a great day"

Hitting the submit button takes you to a warning video about Phishing scams on CNET.

Click to Enlarge

There's no indication left as to how the person now in control of the site obtained the login credentials.

Phishing the phisher, perhaps? It does happen from time to time...

Christopher Boyd (Thanks to Robert and Wendy for this one)

Moving on

2011-10-19T15:25:00.002-04:00

After 9 years of building Sunbelt Software, and then working for GFI, I have decided to move on.

It's been a great adventure. I joined Stu Sjouwerman, who had built a distribution company, to start the "Software" part of Sunbelt Software. We started in 2002 with an antispam product, iHateSpam, for desktops. Then the same technology for Exchange. Along the way, we released other products, but the big change came in 2004, when we released CounterSpy.

I started the blog with my first post, "Why Adware Works" (it seems so innocent now...). We got a reputation for publishing our responses to cease and desist letters (as an example, our Hotbar C&D and our response). Along the way, we did fun things like give away motorcycles (a chopper and a Ducati), an inspired employee tattoed himself with VIPRE, and much more. It wasn't all about Sunbelt. We worked on PIRT with Paul and Robin Laudanski (they did all the work, actually). A group of dedicated security researchers and I helped a very nice lady get out of real trouble, and then we started a group to help other people in trouble. We broke the news on some pretty nasty stuff, like the infamous WMF exploit. Sometimes I would get bored and write about something else. People were nice and gave us all kinds of awards. And so on.

Going through the archives of this blog is a virtual history of the industry during one of its more interesting times.

In 2005, we started working on a new technology, VIPRE, based on a new philosophy for antimalware products. In 2008, we released VIPRE and the rest is history.

But with everything in life, there is a start, a middle and an end. I've turned the reins over to some incredibly capable people here at GFI. Eric Sites, the original Sunbelt Software CTO, is still here as Chief Scientist. Mark Patton, Sunbelt's VP of R&D, is now running global R&D for GFI. The threat team has been getting some great people, and the original team (which we started with Eric Howes, Patrick Jordan, Adam Thomas and a small number of others) has now grown to a large and impressive group. Jovi Umawing and Chris Boyd are now writing the posts for the blog, and doing a great job.

I'm very proud of the team we built here, and I will certainly miss all the great people I worked with over the past many years. We made great products together and built a wonderful culture.

Finally, I have to thank you. As a member of this community, you were a key part of this extraordinary experience and I thoroughly enjoyed the interactions I had with many of you.

Now, I am going to take a bit of time with my family, and discover my next great adventure. Feel free to reach out.

So long for now,

Alex Eckelberry
www.eckelberry.com

Latest Generation of TDSS Rootkit Gets a Serious "Upgrade"

2011-10-19T12:30:00.000-04:00

GFI Software made it in the books of Philippine cybersecurity history by taking part in RootCon, the first official security conference in the Philippines, which was held in Cebu City last month. Two of ours—Berman Enconado (Senior Malware Analyst at the Manila Labs) and Christopher Boyd (Batman)—had given talks during this two-day event. One of the topics we discussed was about TDL4, the fourth generation TDSS rootkit that made waves in June of this year because of its ability to propagate via removable drives / LAN and infect the Master Boot Record (MBR), allowing it to load on infected systems before the OS does.

Our friends at ESET have in depth analyses of this TDSS rootkit, and from what they have observed as of late, this nasty malware have evolved again; however, it's not the kind of evolution anyone might have expected:

"Based on the analysis of its components we can say that some of those components have been rewritten from scratch (kernel-mode driver, user-mode payload) while some (specifically, some bootkit components) remain the same as in the previous versions. These changes might suggest one of the following: either the team developing the botnet has been changed, or TDL4 developers have started selling a bootkit builder to other cybercrime groups."

You can read more about it here on their official blog. By the looks of this, this TDSS is becoming more and more sophisticated the longer its developers continue to improve on it.

Jovi Umawing

Twitter phish DMs still very much alive and kicking

2011-10-19T01:55:00.000-04:00

Just a heads up that a popular Twitter phish is still doing the rounds:

Click to Enlarge

"Found a funny picture of you! mugweb(dot)ru"

Clicking the link takes you to twittelr(dot)com/verify-/session/login-/

Click to Enlarge

If you enter your details at this point, you've been phished and can expect to see your own account spamming junk at some point in the near future.

Christopher Boyd

RSA Europe 2011

2011-10-18T16:33:00.000-04:00

I'll admit, it's the first time I've stayed in a hotel room where they managed to nail four copies of the same picture to the wall horizontally instead of vertically. Here's one:

Click to Enlarge

The others were just as spectacular. Anyway, RSA Europe took place in London last week and there were a lot of talks to get your teeth into.

Click to Enlarge

Speaking of getting your teeth into, dinner was served in the form of packed lunches.

Click to Enlarge

The question I left Tim Berners-Lee was "How do I shot web?"

Click to Enlarge

I'm almost certain he'll get back to me on it eventually. Here I am talking about threats to workplace security in the form of videogame consoles:

Click to Enlarge

The talk itself seemed to go well, although there were a number of teething troubles and then some prior to actually getting up and rambling for half an hour. What's most interesting to me is that this is the first time I've submitted a videogaming threat talk to a more corporate event and had it accepted - maybe all those videogame company hacks over the past year have made people think a little more about the possibility of things going horribly wrong in this particular area of (in)security. At any rate, all of the conference presentation material is available to look at.

Next up is a VB2011 post, as most (if not all) of the conference content is now online...

Christopher Boyd

Another Bing advert to steer clear of...

2011-10-18T15:57:00.003-04:00

Here's an advert in Bing which wants you to install some adware located at chrome(dot)freewarecentral(dot)net - it was coming up in results when searching for "Chrome download".

Click to Enlarge

As with most of these downloads, the site is reasonably convincing:

Click to Enlarge

Hit the install button, and you'll be faced with the following Pinball Corp installer:

Click to Enlarge

After you've installed the adware, you'll be taken to

chrome(dot)freewarecentral(dot)net/download/?m1vcjhbpqo

which actually does give you the real Chrome. However, you could just go here and download it without all the additional installs. Microsoft have been notified.

Christopher Boyd (Thanks Matthew)

Hot Diamond Organization 419 scam

2011-10-18T03:13:00.001-04:00

Here's a 419 scam with a little of everything, including a wonderful fake website. First, the email:

Click to Enlarge

In case you don't want to read it - goodness knows, I tried - the "Hot Diamond Organization" have taken time out from selling diamonds and necklaces to give away one million dollars to "help individuals from countries facing terrorist attack and flood". No, none of this makes any sense. Below, you can see the Hot Diamond website located at hdiamond(dot)page(dot)tl which pops adverts asking you to install things. The ads we've seen contain Pinball network installers, which would give the user Real Player, XVID and Blinkx. Here's an example of what happens should you hit the "Install Xvid" prompt :

Click to Enlarge

If the end user ignores the advert popups, they still have the Hot Diamond website itself to contend with - a classy, sophisticated piece of social engineering that is absolutely not stuffed full of awful logic, stolen screenshots and spinning globes.

Click to Enlarge

Or, you know, maybe it is. Anyone with better observation skills than a pet rock will quickly realise that their "Lottery winner pictures" are just hotlinked files for everything from the Euro Lottery to, er, some other lotteries.

Click to Enlarge

By the time you get to their CEO / Board of Directors list, you get the distinct impression they're not trying very hard. Case in point, say hello to Mr. James Moore:

Click to Enlarge

Let's not forget Mrs Caroline and Mrs Mary, either. Finally, we have their "Send me all your money" form, which wants all sorts of personal information including banking details.

Click to Enlarge

I'm not sure this website hits the heady heights of this fakeout in terms of sheer dreadfulness, but it certainly comes close. You can happily ignore everything these scammers send to your mailbox.

Christopher Boyd

(Thanks to Robert and Wendy for finding this one.)

GMail Hacker: D'oh!

2011-10-18T01:17:00.001-04:00

One of our researchers has come across a supposed hacking tool—GMail Hacker Pro—that claims it can compromise GMail accounts. This tool comes with a fairly slick looking website (complete with live chat support) located at gmailhackerpro(dot)com.

Click to enlarge

During installation, it shows users a EULA. Let us just quickly point out that a portion of it states that a search bar will be installed with the program. During our tests, however, no search bar is installed.

Click to enlarge

Once fully installed, this tool displays a graphical user interface (GUI) and allows the user to enter a GMail email address in a text box. It then claims to "process" the account.

Click to enlarge

Once the progress bar reaches 100%, the user is told the "Password file has been located", but viewing the recovered passwords will require a product key.

Click to enlarge

In order to retrieve a product key, users have to pay 29.99 USD. If they agree to, they are then directed to a ClickBank website where they can make the purchase.

Click to enlarge

Clearly, this is designed to extract a tidy sum of money from unwitting users, and we'd like to save you, Dear Reader, the trouble of wanting to try it out. We categorize GMail Hacker Pro as a Trojan under the detection name GmailHackerPro.pj!.1a.VirusTotal scores currently sit at 16/43.

If you happen to lose or forget your GMail password, have GMail reset the password for you so you can access it again and assign a new password for it. Doing so won't cost you anything. That said, steer clear from this one, please.

Jovi Umawing (Thanks to Patrick for catching this one)

Interview with Rob Westervelt at Search Security

2011-10-17T18:10:00.001-04:00

On a recent press tour in Boston, I sat with Rob and chatted about security for small to medium businesses. Audio interview link here.

Alex Eckelberry

McDonald's Facebook scam: Happy Birthday to...Donald?

2011-10-17T01:39:00.000-04:00

I'm sure a McDonald's themed Facebook scam seemed like a good idea to somebody at the time, but wow is this one all over the place. It's your typical "Click here to Like", "Post a spam comment saying how good this is" then "do one of these offers" affair. However, there are many things about it that don't make any sense starting with the URL: macdonalds(dot)in.

Presumably they were thinking of the guy with the farm? Oh well, it's as close to typosquatting as makes no difference I suppose. Let's take a look:

Click to Enlarge

"Happy 44th birthday to Donald", they say. Except his name is Ronald and he was created in 1963, which means he's actually 48. However, things quickly become confusing at this point. This scam targets Facebook users in India, yet as far as I can tell he's called Ronald there. In fact, he's only called Donald McDonald in Japan and I have no idea how old that guy is.

This one claims you can pick up money or coupons (500 rupees or $12 coupons), and all you have to do is jump through some hoops. So far, just under 900 people have hit the "Like" button. The moment you hit it, this will be posted to your Facebook wall:

Facebook users are then asked to wish Ronald - sorry, Donald - a "Happy Birthday". Kudos to the chap at the top of the comments box who most definitely is not loving it:

Click to Enlarge

The page says "You will be redirected to the next step", and the next step would be trying to leave the page but being redirected to the following wonderful offer:

Click to Enlarge

Hey look, it's an Unhappy Meal containing one browser hogging spam offer and a distinct lack of plastic toys that you already have six of anyway. All the usual nonsense is onscreen, including the "Do you really want to leave?" popup box and the ludicrous countdown timer.

No, you do not want to fill any of this in. If you see any other websites out there asking you to fill in offers in return for free money to spend in McDonald's (or even Macdonalds) keep in mind that the site could be stretching the truth a little bit.

In fact...you might even say...it's a bit of a whopper.

Christopher Boyd

NoScript for mobile devices

2011-10-17T00:08:00.001-04:00

There's now a mobile device version of NoScript available for, er, mobile devices. If you're not familiar with NoScript, then take it away Wikipedia:

NoScript is a free and open-source extension for Mozilla Firefox, SeaMonkey, and other Mozilla-based web browsers...NoScript allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins only if the site hosting it is considered trusted by its user and has been previously added to a whitelist.

It won't solve all of your problems, but it's most definitely better than nothing and a long time favourite of mine.

Christopher Boyd

You lost your Facebook messages!

2011-10-16T23:16:00.000-04:00

Or, to put it another way, you didn't.

However, spam mail doing the rounds wants you to think otherwise.

Click to Enlarge

"You have three lost messages on Facebook, to recover the messages please follow the link below."

The links just go to the usual advert / viagra junk. What's kind of funny here is that an older version of this campaign claimed you were missing one message. Obviously the spammers decided to up the ante so now you have a whole three messages lost to the void.

If you were really that worried about losing your Facebook messages, I suppose you could just have copies of them all sent to your mailbox. At the very least, hover over the links included in these emails - you'll see that they take you to places that most definitely are not the official Facebook website.

Coming soon: "You have six lost messages on Facebook..."

Christopher Boyd

Everyone loves VIPRE, even those you wouldn't expect...

2011-10-14T11:27:00.002-04:00

We know people love VIPRE. But sometimes, we’re suprised that our own competitors love it too!

Symantec loves VIPRE so much, they’ve used the VIPRE snake!

Webroot loves VIPRE so much, they are giving out a VIPER scooter.

We like ours better. Here’s our VIPRE Ducati:

(And for a bit of nostalgia, here’s the CounterSpy motorcyle we gave out back in 2005):

Alex Eckelberry
(Thanks Brian)

The continuation of dangerous rogue ads on Bing (and Yahoo)

2011-10-13T20:58:00.008-04:00

We've noted this before, but Microsoft needs to get a handle on ad placements on Bing. Ok, so Bing isn't the most widely used search engine, but remember that Yahoo plays a part here as well.

In this case, we're talking Sirefef (ZeroAccess aka Max++), probably the nastiest piece of malware circulating on the 'net right now. Sirefef kills any attempt to remove it, and is nearly impossible to clean (short of booting onto a rescue disk and performing cleanup actions, or reformatting).

So just search for "adobe flash", and you might see this ad:

(That same search term will look identical on Yahoo, since Yahoo displays Bing ads and search results.)

Which leads to an innocent-looking "download flash" page:

Note that the page isn't actually "GetAdobeFlash.com". Instead, it redirects to a directory on a compromised trucking site (arulbrothers.com), downloading a file from torreandaluz (dot) com/flash/Flash Player 10 Setup.exe

So let's download that Flash Player and run it through VirusTotal, and no surprise: It's Sirefef.

Alex Eckelberry
(Thanks to Matthew)

Microsoft Released Volume 11 of SIR

2011-10-13T09:27:00.000-04:00

It was early this week when Microsoft released its latest volume of the Security Intelligence Report, or SIR. This report, Microsoft noted, "exposes the threat landscape of exploits, vulnerabilities, and malware", aiming to "help you protect your organization, software, and people."

SIR volume 11 has a lot more findings, insights, and observations from the the first half of 2011. Below are just some facts and figures from the report that are worth noting for future reference and study:

More than 1/3 of malware detected (ab)use the AutoRun feature in Windows. These malware spread via removable drives and network drives.
Exploits that take advantage of flaws in Java, the OS itself, and HTML/JScript were most prevalent from Q3 of 2010 to Q2 of 2011. The volume of exploits targeting Adobe Flash increased by more 40 times compared to the volume seen in Q2 of this year.
Adobe Reader and Acrobat are the most affected software for document format exploits. No surprise here.
Windows XP SP3 (client) and Windows Server 2033 SP2 (server) are the OSs with the highest infection rates.
Adware, software that were deemed potentially unsafe, and Trojans are the most prevalent threats that were detected on systems. An example of this threat is FakeRean.
There was a 71.97 percent decrease of spam volume from July 2010 to June 2011 due to the takedowns of the Pushdo/Cutwail and Rustock botnets.
Phishers are now targeting social networks more than financial institutes.

The .PDF copy of SIR is available and can be downloaded here. If you're interested in backtracking previous volumes, Microsoft has made them available in their library page.

Stay informed, everyone!

Jovi Umawing

Seen in the wild: Slick new Google Adwords phish

2011-10-12T18:06:00.001-04:00

This new phishing campaign is trying to get Google credentials and it’s quite well executed.

Alex Eckelberry

Orkut phish serves up adult content warning

2011-10-11T10:07:00.002-04:00

Here's an example of the "Content suitable for adults" verification scam seen over on Tumblr popping up in the world of Orkut. Clicking through teases the end-user with semi naked body bits flopping about all over the screen, followed by a rather nice looking fake login.

Click to Enlarge

Google killed the site quickly, but these things tend to be a little cut and paste (I've seen the above collection of photographs used on many phishing pages, for example). Always use common sense when asked to verify, revalidate or do something else with the letter "v" in it.

Christopher Boyd

It's Wardriving Jim, but not as we know it

2011-10-10T08:40:00.001-04:00

Click to Enlarge

This is really quite brilliant.

Christopher Boyd

Phish falls at last hurdle

2011-10-10T02:42:00.001-04:00

This is a reasonably convincing "give us your personal details" phish until the last moment when it all goes horribly wrong. The site in the first two screenshots is dead, the form is still live and hosted at palimpalem(dot)com/4/tarjetasprepagas/index(dot)html

"VISA and your mobile phone provider gives you spectacular prizes."

Reasonably convincing:

Click to Enlarge

Reasonably convincing:

Click to Enlarge

Full screen scrolling Matrix code background sitting behind a form asking for card details and PIN numbers:

Click to Enlarge

....I've seen better.

Christopher Boyd

More fake iPad offers

2011-10-10T01:40:00.001-04:00

No, Apple are still not giving away iPads. Here's another Facebook fakeout located at the groanworthy URL stevejobsappleipad2giveway(dot)tk:

Click to Enlarge

Clicking the page elements they want you to click on takes you to the usual collection of offers and other assorted rubbish.

Click to Enlarge

Please don't fall for this nonsense.

Christopher Boyd

Another day, another XBox code generator

2011-10-10T01:01:00.001-04:00

An "XBox code generator" site has been popping up on video sharing websites and elsewhere recently, even though a lot of the content promoting it hawked "Runescape moneymaking". The site is dead now, but the executable it promoted is still doing the rounds so let's take a look.

First, the sales pitch - "How to make money with Runescape":

Click to Enlarge

Visiting the site would bounce you around a number of different redirects, all of which wanted you to download a program. The example below had some awesome pseudo tech babble:

Click to Enlarge

"This is a fully employed xbox whippy maker. It cannot move your xbox untaped account - it gives you a cypher".

Well, as long as it gives you a cypher. Anyway, hitting the "Generate code" button takes you to a download located on a free file hosting website. Like many programs of this nature, it cycles through a collection of (completely useless) fake codes each time you hit the Generate button. Most programs like this would have dropped something nasty on the PC by this point, or have asked for login credentials to email to the attacker behind the scenes. This one tries something a little different.

Click to Enlarge

You'll notice some text at the bottom of the program. It says:

"This version uses an outdated formula. The keys generated may not produce correct codes. Upgrade to 1.17"

I guess their cypher was faulty. Anyway, hitting the "upgrade button" - which I can't say I've ever seen in one of these things - takes you to a suspiciously named (dot)tk URL: xbox360generator(dot)tk.

Click to Enlarge

Strangely, it was pointing to a football website - I say "was", because it now leads nowhere. In this case, the scammer was probably worried they'd be shut down and attempted to point the site to somewhere less suspicious (didn't work).

Given the name of the .tk URL, it's possible that the scammer was attempting to first gain the trust of the user with the program, then direct them a web based equivalent that asked for login credentials. Maybe they just dumped you onto a survey scam instead. There's no real way to know now as all of the sites involved appear to be offline, but we can confirm this program does not generate anything remotely useful.

Including cyphers.

Christopher Boyd (Thanks to Alden Baleva for additional research)

YapBrowser has returned

2011-10-07T04:04:00.000-04:00

Yesterday I gave a talk at VB 2011 on the history of rogue web browsers - browsers that have been built from the ground up to cause end-users trouble. They often imitate the real thing, use similar logos to legit browsers, claim to be incredibly secure and offer lots of features and functionality. Typically it's all lies, and they're dropping rootkits, hijacking your desktop or clicking invisible links out of view from the person using it.

In my humble opinion, the worst of these browsers was something called Yapbrowser. This was a browser from 2006 that you could download, install and run just like any regular browser. Although it bundled with Zango adware, no hijacks were involved and you had the option to back out. Running the browser didn't raise any alarm bells - until you typed in a web address....any web address....and found yourself redirected to places you'd rather not go.

Click to Enlarge

Redirecting users to content that could send them to jail wasn't the best way to promote their browser, and it was quickly pulled. Shortly after the browser vanished, it reappeared for a few more weeks claiming "full protection from virus attacks" - that didn't last long, and Yapbrowser was finally buried in 2006 after being acquired by a company called SearchWebMe - the browser was gone forever, and the site was basically DOA.

Well.

While giving my slide deck a final runthrough, I noticed a screenshot I was using from the Internet Archive wasn't displaying correctly so I went there to get an image that worked. I'm not sure what happened next - I thought I was looking at the Yapbrowser pages from 2006. Then I saw this:

Click to Enlarge

"July 2011"? Uh oh. Sure enough, visiting the Yapbrowser website right now gives us this:

Click to Enlarge

Not only is there a "2011" notice at the bottom, there's a link to the Yapbrowser executable. The file appears to be the original from 2006, the EULA looks identical (to the extent it lists "yapbrowserATyapsearchDOTcom" as a contact, despite the fact that domain is long dead) and when fired up on a testbox it currently takes the end-user to Yapsearch, which is parked:

Click to Enlarge

Not only does it appear to be the same old file, the website blurb also makes the same ludicrous promises of security which are optimistic by any stretch of the imagination:

"Your computer will be free from viruses breeding online...There is a 100% guarantee no system infection will occur when using our software."

When did the site and browser decide to rise from the grave? It's hard to tell, but here's the last Archive snapshot of the Yapbrowser(dot)com site from 2009:

Click to Enlarge

As you can see, it's still dead. Archive.org don't crawl the site during 2010, but they do revisit in 2011 and at this point (Feburary 9th at the earliest) the site has returned, complete with old page layout, text and file download. One new change is the location of the download - whether clicking the "regular" download or the "adult" version, you're served the EXE from filesurfing(dot)com, which is a site used for "file searching" from download sites such as Rapidshare and Mediafire.

Click to Enlarge

Currently, Yapbrowser is registered to what looks like a company registered in the UK. The name of the URL listed as the contact email address differs from SearchWebMe who originally bought the site / program back in 2006, but it's possible they're one and the same.

Seeing this site lurch back into life, looking identical to how it did back in 2006 and with the browser download following close behind is quite a shock. I imagine anyone else who researched this one will be feeling much the same, and given the history of this program coupled with the (still) nonsensical claims of security and virus evasion it would be quite the leap of faith to want to download and use this program.

We'll be keeping a close eye on this one, and if the program starts to do anything beyond point at the parked domain we'll publish an update. For now? Our advice would be to stick with another browser. Like their highly appropriate slogan says: "Don't waste your time".

Christopher Boyd (Thanks to Matthew and Patrick for additional information)

Security Tools and Android Markets: Still Safe

2011-10-06T00:53:00.000-04:00

Seven months ago, Google officially released its Android app, the Android Market Security Tool, in response to an outbreak of malicious apps being served then on the Android Market website. Just a few days after, a trojanized version of the said app had been spotted, baiting users into downloading and installing it on their smartphones. This was served on third-party download sites. AV companies already detect the trojanized app.

If your antivirus software detects the Android Market Security Tool retrieved from the Android Market as malicious, even up to this point in time, let us reassure you that this app is clean. If you found yours elsewhere, however, more than likely your app is a fake one. It's best to remove it from your phone (or PC if you have a copy of it in there, too) and get the legitimate copy from the Market.

Jovi Umawing (Thanks to Dean Bueno)

Thank you, Steve Jobs

2011-10-05T21:53:00.001-04:00

I can't speak on behalf of all the folks on this side of the globe who loves technology, specifically from Apple. Who knows how these nifty gadgets have impacted their business and personal lives, but surely, the impact is hugely positive and lasting.

Thank you, Steve Jobs. You have made an indelible impression not just in the technology sector but also in the hearts and minds of people.

Jovi Umawing

Scammers Bank on Free Flights Before the Holidays

2011-10-04T03:02:00.002-04:00

Matthew, one of our researchers at the AV Labs, flagged us regarding a Facebook scam he spotted late last weekend. And his timing could not have been more impeccable. The scam is about Southwest Airlines giving away free tickets. Now, as a practical rule of thumb, if something free is given by (a) a non-friend, (b) a non-relative, and (c) a random someone / bot who / that found their way on your social networking feed, you better start thinking twice before clicking that link to accept the freebie. If they're from people you actually know? Double the amount of thinking.Trust me.

Click to enlarge

What made this particular scam interesting is that the scammers had used and abused a Facebook token generator to spread it. A token is basically an electronic key that is used to access something one does not readily have access to. In this case, a token is used to gain rights to post on Facebook walls.Once users click the link of the scam post, they are directed to www(dot)southwestisbest(dot)com where an entry box pops up, asking users to "access the offer" by entering a validation code. You can't go around this one, since there is no option to somehow allow a user to decline to do this action.

Click to enlarge

"Click Here to Generate Your Validation Code" - and a small browser window, with the URL m(dot)facebook(dot)com/ajax/dtsg(dot)php, shows to display the code.

Click to enlarge

Hitting the Submit button enables the app to post on the user's Facebook wall. "But wait!" It doesn't end there though. Users, clearly unbeknownst to the posting done on their walls, are then redirected to a page asking for their email addresses. After this, they will be asked to complete a survey.

Click to enlarge

Our experts had already reported this to Facebook and the sites had been taken down shortly after, in turn also terminating the issuance of tokens.

There are other Southwest Airline scams that have been making rounds on Facebook. One such scam was found by our friends at Sophos (Do check out that post, too). So far, however, this is the only one we've seen that uses tokens.

As the Christmas season draws near, criminals are taking advantage of consumers wanting to grab the cheapest flights towards their destinations. And they have been for the longest time we can all remember. Be prudent and smart when it comes to gimmicks you see online, never click on links that offer things that sound too good to be true, and never give away any information until you know what these companies are going to do with them.

Jovi Umawing (Thanks to Matthew for spotting this)

Google Anniversary scam mail gets it horribly wrong

2011-10-03T02:15:00.000-04:00

It seems scammers need to play a little catch up, or at least read the odd news site occasionally. Here's an email going around trying out the well worn theme of "Google Anniversary" 419 scam mails:

Click to Enlarge

"We are pleased to inform you that your email address has won you an Award in the Google 11th Anniversary Awards as organized by the Anniversary Centre of Google Inc. held on September 28th 2011 in London, United Kingdom."

Humorously, the scammers are sending out 11th anniversary mails when that actually took place in 2009 - we recently hit number 13. They don't need your financial details, they need a calendar.

Christopher Boyd (Thanks to Wendy for sending this one over)

Charitable Results

2011-09-29T13:00:00.000-04:00

One of our researchers noticed that searches in Yahoo! for popular programs will result in Yahoo! placing their own link as the first result, effectively bumping the official program links down into second place.

Click to Enlarge

Clicking the first link takes you to the Yahoo! Downloads portal instead of the official Teamviewer site which is sitting down in the number two spot.

Click to Enlarge

It's the same deal for various other downloads such as Skype:

Click to Enlarge

The downloads come with additional extras that you wouldn't see if you'd grabbed them from the official developer site. Cue GFI Researcher Matthew, who first noticed this:

"If the user runs the download from this page, they will be presented with an offer for the Yahoo toolbar and then either Shop to Win or Social Ribbons add-on. After the user accepts or declines these offers, the installer then downloads the actual Teamviewer installer from Tucows to the user's desktop and and prompts the user to run it."

Click to Enlarge

The SocialRibbons install is interesting - if you're not familiar with it, it's a browser plugin that inserts their affiliate code into the URLs of merchants' sites you happen shop at, then picks up the the affiliate commission when you make purchases at those sites. The idea is that an end-user would install it because Social Ribbons pledges to donate a percentage of that affiliate commission to charities.

However, the exact percentage of the affiliate commission that is donated to charity is not specified. Just one month ago they claimed that $18,000 had been donated based on 250,000 users - which works out to 8 cents per user. The whole point of this type of program is to drive shoppers to participating merchants' sites, yet no list of participating merchants is available on the Social Ribbons site. In other words, users don't even know where to go to make their shopping dollars count for charities.

Furthermore, the charities themselves are not specified - there is an example of the below installer mentioning the "Susan G. Kohen Foundation" - did they mean the Susan G. Komen Foundation?

Click to Enlarge

They collect basic demographic information and claim to monitor web surfing behavior for the purposes of targeted advertising, though this is never mentioned in a clear and conspicuous fashion outside of the EULA/Privacy Policy (Section 2, "Use of individual information").

All in all, there's a fair amount of additional content you're installing via these promoted search links that you wouldn't receive if installing from the sites of the program creators. It would perhaps be worth pointing out to relatives unfamiliar with promoted search engine results that you don't always get the "official" site as the first clickable link at the top of the pile - especially when the search engine you're using is placing links it has a connection with above the rest.

Christopher Boyd (Thanks to Matthew and Eric for additional information)

Green Card Lottery Spam

2011-09-29T02:28:00.002-04:00

Here's a curious bit of spam mail involving the well worn subject of Green Card Lotteries:

Click to Enlarge

Did you know the "Department of State" send out random emails from a free MSN address? No, neither did I. This multicoloured monstrosity claims you've won a US green card, then goes on to say you need to stump up $400 to seal the deal anyway.

Yeah, brilliant. They also claim you'll get a "free airline ticket to the US", use a lesser known .hm domain as their contact email address and their website contains the following disclaimer:

"USGreenCardLottery(dot)org is a division of 'US IMMIGRATION CENTER', a private entity not affiliated with the U.S. Government."

What a great name for a private entity, and not at all confusing. The best is saved for last, which would be the location of the lady who supposedly sent you this ticket to a new way of life in the first place:

Poor old Ken.

Christopher Boyd (Thanks Alex)

More bad ads in Bing

2011-09-29T01:32:00.000-04:00

Bad adverts in Bing leading end-users to Malware downloads first popped up on our radar on the 16th of September, and we covered them again on the 19th. Well, they're back again - this time promoting fake Firefox downloads whose ads are displayed when searching for....wait for it...."Firefox download":

Click to Enlarge

You'll notice they missed a trick there, advertising Firefox 6 instead of the freshly minted Firefox 7. The URLs involved are hotelcrystalpark(dot)com/firefox_1 and firefox(dot)dl-labs(dot)com, with the rogue downloads being hosted at the dl-labs URL. VirusTotal score currently gives us 6/43, with VIPRE detecting this as Trojan.Win32.Kryptik.cqw (v).

Christopher Boyd (Thanks to Matthew for finding this one).

Seen in the wild: 419 scammers now using calendar invites

2011-09-28T20:39:00.000-04:00

Desperate to purloin money out of stupid and desparate people, 419 scammers are now trying Google Calendar invites.

The pain of it is that if you’re using Outlook, the calendar invite is automatically accepted and you get a reminder popping up.

This has to be the rudest, nastiest spam I’ve seen in a long time.

Alex Eckelberry

The fake BBC video Facebook scam returns

2011-09-23T03:42:00.000-04:00

It seems scammers have a bit of thing for spoofing BBC websites at the moment. Yesterday it was work from home scams, and last month it was a Facebook wheeze which (in a nutshell) went like this: "Lady Gaga is dead and here's a BBC video to prove it, also click here."

Maybe the (unrelated) work from home fakeout has inspired scammers into a fresh round of BBC shenanigans, because the phony BBC video rides again on Facebook. As usual, it's surveytacular and is geared around fake Facebook messages promoting the completely fake BBC page:

If you believe the hype - and you shouldn't - a girl has "killed herself" due to her dad posting silly things on her wall. Also note that it's been posted via "My Best Stalkers", which sounds exactly like the kind of Facebook app end-users should be avoiding. Sure enough, clicking the link gives you this survey prompt:

Click to Enlarge

The site in question is sqvw(dot)myfannso(dot)in/e/, and is still currently live at time of writing. This is one news report you can afford to miss.

Christopher Boyd (Thanks to Matthew for finding this one).

Bioshocked

2011-09-22T02:24:00.001-04:00

Just a quick heads up that there's a Twitter spamrun targeting mentions of the videogame Bioshock Infinite.

The promise: "My friend got Bioshock Infinite free".

Click to Enlarge

The reality:

Click to Enlarge

A woman doing aeroplane impressions. Of course, people getting free copies of Bioshock Infinite would be quite a feat in itself, given the thing won't be released until 2012.

[Update 1] It seems numerous games are having the same spammy treatment - we're informed that poor old Batman is having similar problems with spam such as this:

"This is amazing! Get a FREE copy of the new Batman: Arkham City. Get one here"
"I love batman, I play the video game look at this"

As before, the URLs lead to linkdumps, spam offers and other assorted junk. Thanks to Pete for the heads up.

Christopher Boyd

Another round of bad ads in Bing

2011-09-19T10:26:00.001-04:00

We're seeing some more bad adverts popping up in Bing - just like the original attack, these results are served with very basic search terms so it's pretty easy to stumble into one of the bad URLs. The results below appear when searching for "Flash player download":

Click to Enlarge

In the below example, the end-user arrives at malaysiaaktif(dot)com/flash and the fake Flash Player file is served up from dl-softonic(dot)net (a slight change from the original URL used to push the files which flatlined a few days ago):

Click to Enlarge

As before, these are not particularly sites you want to be wandering into so please be careful when searching for basic tools, programs and files in Bing until these rogue adverts have a healthy dose of "put in jail and throw away the key" applied to them.

Christopher Boyd (Thanks Matthew)

Lucas Ex Machina: I never asked for this

2011-09-19T03:24:00.001-04:00

In-game advertising has been around for a long time (specifically since 1978, when the Scott Adams game 'Adventureland' placed a promotional message in the game for his next release 'Pirate Adventure', which involved crackers, a parrot and dying a lot).

There are three main types: Static (which as you probably guessed don't do much other than sit there advertising things. They don't change and can't interact with the outside world), Dynamic (which are adverts effectively injected into the game world on the fly, meaning your futuristic shooter can have up to the minute posters on the wall for Pepsi or Alienware or whatever. These can also track gamers with regards successful advertising - for example, length of time spent staring at it when you should have been shooting at other gamers). The final type is 'Advergaming" which would take way too much time to explain, so here's the Wiki page. Go nuts.

Attempts at ingame advertising can be successful (Keanu billboards in The Matrix Online? Meta), somewhat innovative or run into teething troubles - more often than not on consoles where EULAs and other agreements may involve some hoop jumping to read.

You can see why gamers tend to be irked by advertising in their gaming, and a case in point would be a furore surrounding a recent patch applied to Deus Ex: Human Revolution (which is apparently not the cause of said advertising furore, it's just some unfortunate timing.) Gamers are complaining about a somewhat noticeable addition to loading screens: see if you can spot it.

Click to Enlarge

I'm not sure if it's up there with the Vader "NOOOOOOOOOO", but it certainly gives Midichlorians a run for their money. A rather bright and unavoidable Star Wars advert sits in the bottom right corner of the screen, pleading with you to use the Force and buy the boxset. A few more examples can be seen here and here.

As you may have guessed, people aren't best pleased and the inevitable result is users attempting to game the system - you can see what I did there - and kill the ads off. Some are tweaking their Hosts file:

Click to Enlarge

Others are downloading random patches and mods from the internet:

Click to Enlarge

While there aren't any reports of malicious patches compromising systems (though the above popular ad killer currently hits a 1/44 detection in VirusTotal which appears to be a "Wisdom of the Crowds" thing), I can't say it's a great idea to be downloading files and hoping they don't blow your PC sky high. Another issue is that the game developers (or whoever is providing you the platform to play your PC game on, such as Steam) may not take kindly to tampering, and could theoretically ban your account / access / some other thing you can't really go without.

This would not be a good thing.

Of course, "patches" and cracks are appearing on Youtube and similar sites, all of which result in survey popups and fakeout websites galore - this probably won't matter one jot to anybody really desperate to hose that Star Wars promo and a clicking they will go:

Click to Enlarge

...and so on. For me, the most interesting thing about this one is that the adverts have gone live a little while after the game has already sold a stack of copies - I'm struggling to think of ingame adverts that weren't live from the moment the title was released, and this has contributed toward the negative reaction for what is a small (if distracting) advertisement. At any rate, it's definitely created an opportunity for people with malicious intent to snag some victims, either by survey affiliate moneymaking or the ever present threat of infection files.

It may well be worth waiting to see if the adverts are pulled due to the negative reaction before deciding to download File X from Site Y while crossing your fingers.

And Han shot first.

Christopher Boyd

Bing, Yahoo! Search adverts serve up malware

2011-09-16T04:23:00.001-04:00

Overnight we saw a number of adverts being displayed in Bing that were directing end-users to malicious content. These adverts were promoting all manner of downloads including Firefox, Skype and uTorrent.

Some of the search terms used:

"FireFox Download"
"Download Skype"
"Download Adobe Player"

As you can see, they're not particularly complicated or unusual searches so you probably wouldn't be jumping through hoops to reach these things.

Click to Enlarge

Clicking the adverts takes end-users to sites such as river-park(dot)net, and they do a pretty good job of convincing visitors that these sites are the real deal (incidentally, you'll notice that some of the ads display the "real" URL of the program mentioned, but take you to a rogue site such as the "Download uTorrent Free" advert above which actually takes you to aciclistaciempozuelos(dot)es/torrent).

Click to Enlarge

All of the malicious downloads are coming from en-softonic(dot)net, and here's their open directory with various files waiting to be launched on unsuspecting end-users:

Click to Enlarge

As an example, the fake Firefox file installs a rootkit, runs IE silently in the background attempting clickfraud and also performs Google redirects. Current VirusTotal score for that one is 16/44, and we detect it as Win32.Malware!Drop. These adverts were also appearing in Yahoo search - we notified both Yahoo and Microsoft, and both companies are in the process of killing these things off.

It's entirely possible these sites will show up somewhere else, so be careful when downloading programs and make sure you're on the official site before grabbing anything. These are definitely not the kind of files you want on your system.

Christopher Boyd (Thanks to Matthew for finding this one).

DeepSafe

2011-09-15T11:28:00.003-04:00

I keep getting asked for comments on McAfee/Intel’s new Deepsafe. So what the heck, here goes.

This is a great marketing pitch. But remember that the platform that the technology is based upon, Intel VTx, is an open archictecture that any antivirus company can use. McAfee is innovating but I truly doubt it’s because of any proprietary relationship with Intel.

I just don’t think there is any secret sauce here. This stuff is available to us all, and if it makes sense to use it, we will.

Alex Eckelberry

Touchpad? Touchbad.

2011-09-15T05:00:00.000-04:00

Hands up: who wants a cheap HP Touchpad complete with charging dock and bluetooth keyboard?

Yep, you all do. However, not only does this prospect look a little unlikely due to the ultra scarce stock, you may well find you end up with a little more than you bargained for while searching for one of the few remaining deals knocking around the web.

Should you visit the rather long web address listed below (which may or may not completely ruin my formatting, cross your fingers), you'll be enticed by the rather awesome offer that includes all of the above for the low, low price of $159.99.

tigger(dot)horizon-host(dot)com/123/td/applications/SearchTools/touchpad(dot)html

Click to Enlarge

It sounds like a great deal. However, hit the "Buy" button and this website - which was pulling genuine content from a Tiger Direct page - would use some handy Javascript to load up a Survey box populated with data from fileice(dot)net.

Click to Enlarge

I must admit, seeing a survey in this instance is somewhat bizarre as typical survey scams involve the affiliate offering freebies in return for a completed survey. I guess they're banking on the lure of the cheap touchpad being too much for end-users to resist. An example offer:

Click to Enlarge

Yeah, that's super. Anyway, at time of writing the site in question appears to be down but I'd imagine others could well be attempting similar scams as stocks dwindle to nothing (assuming that hasn't already happened).

Time to go back to saving up for an iPad...

Christopher Boyd (Thanks to Robert Stetson, and a hat-tip to Stopbadware).

Gaming website offers up "FileZilla" and...Jeefo

2011-09-14T02:24:00.000-04:00

Just a quick heads up that a gaming website is offering up what appears to be a version of FileZilla, but is actually throwing the Jeefo Virus into the mix.

Click to Enlarge

The site in question is someofcs(dot)com, and (as far as we can tell) it looks as though you may have to be a member of the site to download the file in question. The VirusTotal result right now is sitting at 38/44, so at least there's decent coverage of this one.

Christopher Boyd (Thanks to Patrick Jordan for sending this over).

Rootcon 5: A Summary

2011-09-13T12:01:00.000-04:00

I'm not saying all of my trips go horribly wrong, but exploding toilets, 1984 style televisions, badges that make no sense, surprises in alleyways and emergency fuel dumps could perhaps convince you otherwise. You'll be pleased to know Rootcon 5 went off without a hitch (well, besides the earthquake drill, the eleven hours at Guangzhou airport and the lady with the foot in her face) and a great time was had by all.

Step up, Cebu Parklane International Hotel. Before:

After (well, during):

I think something in the region of 200(ish) people turned up to listen to talks on a wide variety of subjects. Ye Olde Cyberterror kept popping up throughout the event, as it's clearly a bit of a hot topic although there were plenty of other things to get your teeth into if you never wanted to hear the word "cyber" attached to anything ever again.

For the duration of the event, there were fairly spectacular gaming rigs available for people to hop on:

When the PC above is turned on it seems to glow brighter than the Sun:

Of course, this being a hacker con there were various wargames / capture the flag type events taking place too. While it's entirely possible I captured someone below simply wiping their face, I like to imagine the pwnage before her is so amazing that she is straight up shrieking into a napkin.

Probably not though.

Anyway, there was also an obligatory tshirt booth and everybody had a badge complete with a QC code or two to crack.

So there we go. As for the talks, they came thick and fast over the two day event. No prizes for guessing that I talked about videogame / PC game hacking and threats, but in addition to that there was a great ZEUS talk by Trend Micro:

Another presentation given by a chap well known for being involved in the legal side of things discussed the topic of whether the Philippines was ready for "cyber terrorism". I must admit, I was curious when I heard that "Cyberterrorism" was a "convergence of cybernetics and terrorism". I always thought that was something to do with scary robots, but feel free to plough through this lot and make sense of it for me.

There was also a fairly exciting kerfuffle between him and researchers from a company who gave a talk prior to this then found themselves referenced incorrectly in his own. I missed most of it, but below is some of the drama captured for posterity:

Yeah, that was pretty awesome.

Something else that was awesome was the TDL 4 talk by my colleague Berman Enconado, which explored the history of TDL 4, what it does and the damage it can cause.

Now it's time to break for cakes because, well, look at them.

Hacker cons tend to have some sort of lockpicking shenanigans taking place in the form of a village, but Rootcon had a one man lockpick village in the form of Jolly Mongrel who went through the various types of lock you could pick, examined a famous bank heist from yesteryear that involved lockpicking galore and also had some fun with handcuffs:

I also thought his tshirt said "I love Batman", which would have been amazing.

A quick prize draw at the GFI booth later (with a handily swiped fishbowl which I'm sure the fish didn't miss) and it was time for the panel talk including speakers from IBM, Trend Micro, GFI Software, that legal guy and a chap called Sven Herpig who is as awesome as his name suggests. It was about - you've guessed it - cyberterror, along with a bunch of random security questions including ethical vulnerability reporting, Wikileaks and, er, setting up an overseas anonymous security company that quickly wandered into a discussion about tax evasion.

Also someone said something pretty funny here, but I have no idea what it was.

All in all, this was an excellent event - especially as this was the first "official" security conference in the Philippines (despite there being four Rootcons prior to this, which were much smaller in scale). This had numerous speakers (both local and international), talks on a wide range of subjects, PC gaming, hacking events and booths stuffed with products and freebies.

Plans are already underway for Rootcon 6, so it would probably be wise to pencil in a visit to Cebu sometime next year. Thanks to everyone who organised the event and thanks also to everyone who visited the booth / listened to the talks, we had a great time!

Christopher Boyd

Hijacked sites serve up exploits, SEO poisoning

2011-09-12T11:19:00.002-04:00

Our research team have discovered a rather nasty SEO poisoning scam over the last few days, targeting 9/11 related search terms (along with anything else they can get their hands on) to attempt the infection of vulnerable PCs. They use a combination of the ~~Black Hole Exploit Kit~~ (Correction: Phoenix Exploit Kit) and an interesting "on the fly" SEO poisoning tactic to try and drop infections onto the target PC.

Shangpalace(dot)com(dot)vn was the initial URL our research team discovered, although there are quite a few others out there right now. It goes without saying that all of these domains should be considered hostile and visited only in a dedicated testing machine.

authorizationlettersample(dot)org
chiefpricingofficer(dot)com
craftyk9(dot)com
decaci(dot)mmister(dot)com
e-gizmo(dot)com
geekvenues(dot)com
glorioleedu(dot)com
gospeloftruth(dot)net
hotelcatedralvallarta(dot)com
jetpackdreamsthebook(dot)com
maresmortgage(dot)com
marianaemslie(dot)com
megadeth(dot)megawan(dot)com(dot)ar
moorethoughts(dot)com
plusidol(dot)com
rayoverde(dot)com(dot)ar
referencelettersample(dot)org
ritasresources(dot)com
saponifier(dot)com
saprivateschools(dot)co(dot)za
schorrsolutions(dot)com
secondmilecenter(dot)com|
sellbeads(dot)com
studio-r(dot)in
tisztaszenzor(dot)hu
trainerskills(dot)com
winbeforetrial(dot)com
bridging-the-gap(dot)com
ishmaelkhaldi(dot)com
joshtickell(dot)com
sofresh(dot)ro
themetalden(dot)com

Some example search terms:

Click to Enlarge

If you're unfortunate enough to visit one of these rogue links, then you can look forward to attacks on your PC. Here's what GFI Software Malware Research Supervisor Adam Thomas had to say about it:

"The server will return a script pointing to a malicious server which is running Phoenix exploit kit...the referral string used when visiting the compromised site must be an approved referral string (e.g. search.google.com). If not, the server will simply re-direct you to anon-malicious page."

Click to Enlarge

He continues: "The malicious domain ‘nvwjefrzacronyms(dot)info’ appears to be hosted on a server in Germany. Passive DNS data reveals several other likely malicious servers hosted at the same IP address."

serveruzgdf(dot)info A 109.230.217.113
acronymsoflh(dot)info A 109.230.217.113
zqqhfowhserver(dot)info A 109.230.217.113
cronymsu(dot)info A 109.230.217.113
aasfhcxserver(dot)info A 109.230.217.113
bpxtecdacronyms(dot)info A 109.230.217.113
nvwjefrzacronyms(dot)info A 109.230.217.113
acronymstxey(dot)info A 109.230.217.113

Adam tells me the site is "attempting to load as many exploits as possible in order to drop the payload". This is typically what the user will see while the exploits and files are busy behind the scenes:

Click to Enlarge

Here's an example VirusTotallink to one of the pieces of Malware being used - as you can see, 21/44 currently detect it. As with most attacks of this nature, you can expect to see multiple domains, files and search terms used to lure potential victims. Speaking of search terms, the people behind this are doing some interesting things with their poisoned search results. Adam again:

"The content for SEO poisioning can be generated 'on-the-fly'. To explain further, the owner of this SEO poisoning system can utilize their network of hacked domains to quickly generate any content desired. By simply passing a search criteria to the url 'shangpalace(dot)com(dot)vn/<search-term>', the 'SEO pack' generates relevant content based on the search term."

As an example, he passed a random search term to the server to see what would happen - "purple-golden-retriever", in thiscase. Sure enough..."Within 2-3 seconds a page complete with keywords, related search phrases and even relevant working images is returned from theserver."

Click to Enlarge

Pretty slick. Keeping your system patched and your security software up to date is a good place to start with regards to avoiding these kinds of attacks, in addition to running a Limited User Account and (perhaps) some browser based script blocking tools such as NoScript. There’s bound to be more domains out there playing host to the kind of badness seen above, and I’m pretty sure you don’t want to be caught out by this one.

Christopher Boyd (Thanks Adam)

Generating false hope with fake generators

2011-09-07T10:52:00.002-04:00

Another day, another random website offering up freebies that you'd be better off without. This time around, the site in question is located at freeamazingsoftwares(dot)blogspot(dot)com. The free programs include - stop me if you've heard this one - RuneScape gold generators, iTunes giftcard generators, Amazon Giftcard generators and XBox Live points generators.

Click to Enlarge

Of course, it doesn't matter which program you want to download - your final destination will be this:

Click to Enlarge

"Are you dumb? Find out now!" Never a truer word spoken, courtesy of ye olde survey popup. Assuming the user fills in one of the above quizzes / signs up to a ringtone service, they'll be free to download one of the above programs.

Will they work as advertised? Given that I've yet to see a working Microsoft points generator - and I've seen a lot of points generators - my answer would be "nope". Could you take that "nope" and apply it to all the other programs too?

"Yep". As with so many of these types of website, at best you'll get a non functional dummy download. At worst, you could end up with anything from a phishing tool to a piece of data theft malware. Worth the risk? I think we're back to "nope" again...

Christopher Boyd

Rootcon 5: Greetings from Cebu!

2011-09-07T07:18:00.000-04:00

Click to Enlarge

This year, Cebu Island is playing host to the fifth Rootcon security conference, which takes place on the 9th and 10th of September. GFI Software has two standalone talks at this one - "Introducing TDL4, a Sophisticated Fraudster’s Rootkit" by Berman Enconado and "Console (In)Security: The Oncoming Storm" by my good self. Additionally, we're on a panel discussing the threat of "Cyberterrorism" alongside Paul Sabanal (IBM Security Systems) and a chap named Sven Herpig who is both a professor and a PhD student specialising in Cyberwarfare.

Click to Enlarge

There's a whole bunch of other talks taking place too, on everything from VoIP security and IPv6 to lockpicking, penetration testing and reversing Android applications. If the talks aren't your thing, the event also doubles as a job fair and we will be on the lookout for both fresh and experienced talent.

If you'd like to listen to me complain endlessly about everything that's gone wrong since I arrived - and who wouldn't - you can do so here on my personal blog thing. Otherwise, we'll be posting various updates from now until the weekend so roll on Rootcon!

Christopher Boyd

Facebook Profile Rollback Phish

2011-09-01T02:55:00.001-04:00

Here's a phishing scam that lures users with the promise of getting their "old Facebook profile" back. What that means is up for debate - maybe the scammer is harking back to a land of slightly less privacy options, or maybe he just wants you to look like a Geocities page from 1996. Either way, here it is:

Click to Enlarge

You too can convert your new Facebook profile into an old one for the low, low cost of your login details.

Here is the "Need Old Profile Back" Facebook page:

Click to Enlarge

As you can see, it's a fairly typical "Click this...then that...then all of those" page, begging for Likes, Suggests and Invitations from other Facebook users. You don't have to do this to see the "Profile Converter", but lots of users will jump through the hoops anyway. Here comes the phish itself, in the form of a Google Docs Spreadsheet:

Click to Enlarge

They claim entering your Facebook login along with your name will mean your profile is converted to "an older version" in 46 hours. Why 46? Why not 48? That's the kind of thing you could distract yourself with for at least, oh, thirty seconds before going back to complaining about things on the Internet.

It's all academic anyway at this point, because those nice people at Google killed it shortly after we reported it to them. Sorry guys, but the changes Facebook have made aren't going away anytime soon so you'd better get used to it and steer clear of scams like this one (a scam which, basic as it was, still picked up just over 2,000 clicks from January).

Hopefully only a small portion of those 2,000 fell for it, but you know how appealing those spinning Geocities gifs can be...

Christopher Boyd

Northumbria Police Authority website defaced, serving Phish for breakfast

2011-08-30T01:42:00.000-04:00

It seems the Northumbria Police Authority website (northumbriapoliceauthority(dot)org(dot)uk) was compromised recently to push a "fight the power" message, and it looks like the defacement is the least of their worries as you'll see shortly.

What is the Northumbria Police Authority?

We could use my wonderful description ("An Authority for the Northumbria Police"), but I think an official source would likely be more informative. According to that handy link they appoint chief constables, make sure the Police are doing their job and listen to locals complaining which is definitely something I can get behind.

Unfortunately, this is how the Northumbria Police Authority were rolling earlier today in Google Search:

Click to Enlarge

"The Northumbria Police Authority website was hacked by lamine Foued ( Dr.F0u3D). F*ck You admin. Freedom For T.H.T Anonymous Tunisia :D."

This isn't quite a 187 on an undercover cop - in fact, it's nothing like that - but they've still done a number on the website. At time of writing, the hack has been removed though you can still see it basking in, er, glory through the wonders of Google Cache:

Well, the defacement may have been cleaned up, but the Northumbria Police Authority have another problem at the scene of the crime. And by "problem", I mean "Paypal phish making a gang sign from the comfort of the Northumbria Police Authority website".

Click to Enlarge

Call for backup! Anyway, we've reported the phish and hopefully it'll be offline soon enough.

Christopher Boyd

WARNING: Incoming Hurricane Irene Scams Ahead!

2011-08-29T19:09:00.000-04:00

As much as we dread hearing about disasters—the natural ones, most especially—happening on certain parts of the globe where most of our families and friends are, we still keep an eye out for what's happening. And as much as we dread remembering that there are people out there who actually bank on news about such natural disasters to scam others, we continue to remind you about them. If you're that person who wants to give financial aid to those who need them during these trying times, this reminder is for you.

A few days back, the FBI issued a warning to netizens to "beware of fraudulent e-mails and websites claiming to conduct charitable relief efforts". The warning also pointed readers to the IC3 government Web page where they can read tips on how to avoid getting entangled into this kind of fiasco. I suggest you visit that page. Also, please tell your friends and family about scams popping not just into their email inboxes but possibly on their social networking streams, too.

In retrospect, here is a short list of some of the "natural disaster" scams that had been out in the wild:

Stay safe!

Jovi Umawing

The Longstanding KVGB Compromise

2011-08-29T08:13:00.001-04:00

Our friends at Zscaler has blogged about a website compromise involving Karnataka Vikas Grameena Bank (KVGB), a prominent regional rural bank in India, last February of this year. It then housed a malicious JavaScript (JS) code that redirects visitors to another domain that was believed to be malicious at one point. The code had been found to be "multilevel obfuscated". Also according to the entry, they have informed the said bank about the code injected on their website.

As of 11:05PM (GMT–4:00) of August 25, six months after the said blog is published, GFI Senior Exploit Analyst Francesco Benedini is alerted about KVGB still housing obfuscated JS code. Below is the screenshot of the code found on the site:

(click to enlarge)

After deobfuscation, Benedini has determined that the supposedly malicious domain is inactive, thus, poses no threat to bank site visitors. The script, however, is working. We detect the malicious code as Trojan-Downloader.JS.Twettir.a (v), and VirusTotal shows a 24/43 detection ratio across all AV companies.

Our experts have also pointed out that the attack is related to the MBR rootkit (Trojan-Spy.Madlo) we generally know as Sinowal / Mebroot. This is because (1) the obfuscation technique used in this attack is reminiscent of the technique used by Sinowal, and (2) the structure of the inactive URL follows the one seen in Sinowal infection campaigns.

GFI is currently attempting to reach KVGB in order to help them clean up their website.

Jovi Umawing (Thanks to Adam Thomas for additional information)

Facebook Makes a Move Toward Security

2011-08-25T01:09:00.000-04:00

Facebook recently published a guide for it's users on how to secure their online accounts from anything that threatens one's Facebook security. Among those covered are Wall, Chat, and Comment spams, weak passwords, fake applications, and account hacking. Personally, I'm quite happy that Facebook is actually doing something that concerns user security, despite it being quite late come to think about it. Still, better to have something than nothing.

The document guide contains practical tips and cases to illustrate the gravity of the attack if ignored. It also has some great, agreeable points that make it a good reference anyone can recommend to their friends and family who are on Facebook. Feel free to download here and distribute.

Jovi Umawing

Of Spam and Speeding

2011-08-18T12:54:00.000-04:00

Our engineers over at the AV Labs have spotted recently a deluge of spam about a "traffic ticket" that purports to come from a state department in New York. The said spam has a compressed file attachment that, once extracted, contains a file that bears the icon of a normal Adobe .PDF file. Mimicing file icons, of course, is a common tactic used by criminals to appease any doubts or worries from recipients of such emails, which are actually malicious in nature.

"The malware appears to be sent from a botnet of unknown origin." says GFI Spyware Researcher Adam Thomas.

When this supposed .PDF file is "opened," it connects to sfkdhjnsfjg(dot)ru (a server in Ukraine) to download and execute the file, pusk3.exe. This .EXE file, detected as Trojan.Win32.Generic.pak!cobra, is a dropper/downloader. As of this writing, it drops/downloads a rogue AV and TDL rootkit variants.

CNN has written an article about this ticket spam early last month. Seeing that it's still getting attention, we can surmise that it still is very much at large.

VIPRE users are already protected from ever accessing and downloading interesting "goodies" from the .RU site. And you can protect yourself from nasty attachments pretending to be something else by enabling file extension names of all files on your system. It's a simple thing to do, yet it can save you from computer security disasters.

Jovi Umawing (Thanks to Adam Thomas for the analysis)

Phony Mc Bling Sting

2011-08-11T03:33:00.000-04:00

CCleaner (formerly Crap Cleaner, which is a glorious name) is a handy program used to remove unwanted files, fix borked registry entries and more besides.

There's a website located at myccleaner(dot)ru which claims to be offering up multiple versions / builds of CCleaner:

Click to Enlarge

It's also offering you the chance to part with your money in various spectacular ways. At time of writing, none of the download links work save for one: "ccsetup303.exe". Unfortunately for us, this is what's known in the business as "a very bad thing". Check it out:

Click to Enlarge

Things look reasonably normal at this point, but then it all goes horribly wrong:

Click to Enlarge

It's not quite all the tea in China, but it is every payment method under the Sun. SMS, paid call, credit card, terminals, Paypal, webmoney and so on. Click some of the links, and they show you all the fun ways you can cough up some dough to (theoretically) get your hands on the program up for grabs. Here's an example:

Click to Enlarge

Most of the payment methods seem to clock in at around $5 USD. Not sure I'd chance it personally - you'd be much better off going to the official site and grabbing it there instead. As for ccsetup303.exe, it has a 29/43 score on VirusTotal and we detect it as Hoax.Win32.ArchSMS. You also score one whole cool point if you got the Simpsons reference in the title.

Christopher Boyd

Here's another thing that's scary about Shady RAT

2011-08-04T15:27:00.003-04:00

A lot of chatter and breathless reporting about Shady RAT. All the makings of an epically awesome story — the US is being taken down by Chinese interlopers to the nastiest degree, installing keyloggers and other badness on US government computers.

Whatever. Who the heck knows how bad this thing really is (and I am not the only skeptic).

But here’s what’s of concern to a lot of security researchers I deal with: It was known by McAfee (and certainly others) but no one apparently ever did anything to take the C&C down, even after knowing about it for months.

Let’s take a look at this paragraph from the hyperbolic Vanity Fair article (italics are mine):

"Alperovitch first picked up the trail of Shady rat in early 2009, when a McAfee client, a U.S. defense contractor, identified suspicious programs running on its network. Forensic investigation revealed that the defense contractor had been hit by a species of malware that had never been seen before: a spear-phishing e-mail containing a link to a Web page that, when clicked, automatically loaded a malicious program—a remote-access tool, or rat—onto the victim’s computer. The rat opened the door for a live intruder to get on the network, escalate user privileges, and begin exfiltrating data. After identifying the command-and-control server, located in a Western country, that operated this piece of malware, McAfee blocked its own clients from connecting to that server. Only this March, however, did Alperovitch finally discover the logs stored on the attackers’ servers. This allowed McAfee to identify the victims by name (using their Internet Protocol [I.P.] addresses) and to track the pattern of infections in detail."

So McAfee blocked the IPs for its own customers. In March the C&C was discovered. It’s not clear if it’s still up or finally down (or if it was down by June).

I never saw one mention of this C&C on any of the closed and vetted security lists I’m on. A simple “takedown please” would have generated all the help necessary. This is how a lot of bad stuff gets handled, and the vast majority of internet users are none-the-wiser that there is a large group of very dedicated researchers who are making their lives safer every day. All of the data on the C&C can be put away nicely for post-takedown analysis.

I’m quite certain that McAfee wasn’t the only organization that knew about this, so it’s not only McAfee who shares the blame here. Furthermore, I am not singling out McAfee (we work with them on other areas and there are many very decent people there). Furthermore, McAfee is being clear that this issue is “old news”, and McAfee’s Dmitri Alperovitch is not acting the role of the self-aggrandizer, but rather as a researcher sharing some pretty interesting and educational insights. Furthermore, McAfee did reach out to infected victims.

However, there are many groups or organizations, upon having proof of this C&C, that would have been all over shutting the thing down as fast as possible in coordination with other security organizations.

The bigger point is this: If you, as a security researcher, discover Really Bad Stuff, you should do everything in your power to get that Really Bad Stuff shut down. The next time you see a killer presentation at Blackhat or RSA, ask “what have you done to solve the problem?”.

Perhaps we need a volutnary code of ethics for the security industry. It can start with some pretty simple things, like “If I see really bad stuff happening, I will work with others to fix it”. Enlightened self interest and all that.

Screw NDAs, the fear of competition getting a heads-up on your research, losing a scoopable news story, etc.

This is not about McAfee. This is about the industry. There are researchers out there who aren’t in a position to share data with competitors due to corporate reasons. They shouldn’t be in that position.

Alex Eckelberry

Pottermore: Expecto Riddikulus!

2011-08-04T04:46:00.000-04:00

Now that I have Harry Potter fans foaming at the mouth for randomly mashing up two unrelated spells to express the intent of this blog entry, I'll continue.

Pottermore is - help me out here, Wikipedia - a site that will sell eBooks of the Harry Potter novels, provide over 18,000 words of additional content including background details and settings and "experience" the events of the books first hand. All I know is, lots of Harry Potter fans are excited.

Access is currently limited for the Beta, and of course this means ole' lightning forehead has become a prime target for scams and people wanting to turn a quick profit. Things you should be keeping an eye out for, and running away from:

1) The Official Blog has listed some things you probably shouldn't be getting involved in. Individuals offering to "register on your behalf, with your details" should be avoided. Buying and / or selling accounts on places such as eBay? Don't go there, Hermione. Not only are you "depriving genuine fans", you're also giving money to random people and hoping they give you access to the accounts they claim they've set up. You have some protection in place should you start dabbling in eBay auctions (though not from the price - $100 for a "Buy it now"? Oh dear):

Click to Enlarge

Click to Enlarge

Go throwing your cash around on "myfakewebsite(dot)whatever" and you may be in a little more trouble.

2) Videos on Youtube. I guess if someone is willing to pay up to $100 for Beta access that may not even exist, they'd certainly be willing to walk right into this "Old as the hills" favourite:

Click to Enlarge

"Beta access" available for "Download". At the risk of making like Nostradamus, I wonder if we'll see a survey?

Click to Enlarge

A big hand for the most tiresome scam in history, everybody!

The individual who sent you there will (of course) make some affiliate money should you fill in a survey or enter a competition - meanwhile, after handing over your data to some random marketers you'll be "blessed" with a download which typically turns out to be A) Nothing, or B) Malware.

3) Malware and poisoned search results. Another obvious one, but even so here's a random example found after a few minutes digging around:

The Malware diagnosis for that one can be seen here. It seems to be clean at time of writing, but six exploits, five Trojans and two scripting exploits would have been more than enough to give you bad hair day. You can expect more hacked sites serving Malware alongside poisoned search engine results - both text and image. If your kids are happily babbling on about the joys of Pottermore, it may well be worth sitting down with them and pointing out the types of shenanigans they need to avoid.

Muggles, eh? Can't turn your back on them for more than five minutes...

Christopher Boyd

Department of Defense 419 Mail...

2011-08-04T02:38:00.004-04:00

I'm almost certain pretending to be the Department of Defense is not a good idea, but then it's not like a 419 scammer has that many of those in the first place. In fact, they can't even format an email properly so here's my best attempt at getting as much of it into the screenshot as I could:

Click to Enlarge

You're not missing much after the cutoff, really - just a Mr Allen Bickford asking you to send over your name, address, sex, age, occupation, country, mobile number, landline number and a scan of your ID card.

You know, like you'd do for any random email sent your way. This one does promise you $750,000 in unclaimed funds though. So there's that.

If you see a "Remittance of Unclaimed Funds" mail arrive in your mailbox from the "Defense Finance and Accounting Services", with one "Mrs. Patricia Smith" acting as your legal representative then you should safely file it under "Fire into the heart of the Sun". In fact, you should do that with any random email promising you untold riches.

Christopher Boyd (Thanks Wendy)

Grinding your (Top) Gears

2011-08-01T02:01:00.001-04:00

Here's a site called watchtopgear(dot)info that lets you - amazingly enough - watch Top Gear.

Sort of.

Click to Enlarge

Series 16 / 17 are yours for the taking. Sounds awesome if you're a Top Gear fan, but of course you need to install something - specifically, one of those FREEzefrog bundles we've mentioned previously:

Click to Enlarge

Everything seems to be coming up Milhouse for a change, as once the install is complete the website presents you with Top Gear content (instead of the more usual "nothing at all" for a site of this nature). Feelings of vehicular joy are short lived, however, as the long list of content listed is a little bit inaccurate. And by "little bit", I mean "six videos work and everything else is a hilarious joke at your expense".

Click to Enlarge

Click the first six links, and you'll see some Top Gear episodes that have been ripped and placed on random streaming services.

Click to Enlarge

Click any of the other links, and you'll see the Top Gear team showing off a variety of overly tight jeans and not much else:

Click to Enlarge

Yes, all of the content is missing. Yes, you just installed a bundle of stuff to watch six videos.

No, that was not a good idea.

Christopher Boyd (Hat tip to Steven Burn).

Flickr continues to be a haven for porn/malware redirects

2011-07-29T16:50:00.002-04:00

A few weeks ago, I blogged about porn/malware redirects being hosted on Flickr. After a brief respite, it's back and strong.

Just a quick and trivial search shows over hundreds of porn redirect links, pushing "lolita porn" and redirecting to porn and malware sites.

And again, a list of bad sites is here.

Alex Eckelberry

"Activate Skype". Or not...

2011-07-28T04:27:00.006-04:00

Here's something that looks like Skype, may or may not give you Skype but certainly wants something in return for it first.

Click to Enlarge

So far, so good I guess. It's all in Russian of course, but it looks like it is actually installing Skype.

Then this happens.

Click to Enlarge

As you can see, it's now asking for something - that something presumably being an SMS unlock code, which would likely cost money to obtain (in testing, the dropdown box wasn't available - either because the required site content isn't live at the moment or they're not interested in my IP address). In case you're wondering, the text in the greyed out box says (according to Google translate): "Loading Countries". The other pieces of text say things like "Attention, the program requires activation" and "select your country of residence to receive instructions on how to activate".

Thanks, but no thanks. Also here's a 27/43 VirusTotal score.

The file above (SkypeSetup.exe) comes from a website that doesn't appear to have any frontend to it - d2xx(dot)ru. There's no fancy graphics, no text, nothing. Just the download. The Email address used to register the domain is used elsewhere, however - skype4free(dot)ru. This one has a little more going on:

Click to Enlarge

My handy Google Translator picked up the word "Free" quite a lot - "also, something about having to activate your copy", not so much. You probably shouldn't bother with any of the above when you can go here and obtain Skype for free, right now.

Christopher Boyd

The state of Typepad security

2011-07-27T16:50:00.000-04:00

There are over 3,000 malicious sites on Typepad serving malware. I've put the list of malicious domains here. I've also notified Typepad.

Typepad -- get a clear abuse or security contact on your site, and do some work to police your blogs.

Alex Eckelberry

FakeVimes Infection Offers Up "Home Codec" Packs

2011-07-25T04:28:00.000-04:00

I don't want your heads to explode with the force of a thousand Suns, but I think we may be looking at a new Rogue AV gimmick - specifically in the area of Codecs. I know, I know. Breathe deeply and take a seat.

Researcher Adam Thomas was investigating some FakeVimes Rogues, installing one of the fake products from the usual "Your PC has been infected" website:

Click to Enlarge

He then got ready to take in the sights when this happened: nothing.

No fake security tool asking for payment or telling you the PC has about a million fictitious infections on it, no flashing lights, nothing at all. He rebooted the test machine - still nothing (sometimes a rogue won't rise from the depths until you restart the machine. Surprise!)

This is a typical FakeVimes GUI:

Click to Enlarge

This is not a typical FakeVimes GUI:

Click to Enlarge

You can see what I did there. Anyway, this is a sample of some of the files found on the infected machine:

c:\Documents and Settings\All Users\Application Data\7f0924\VD7f0_2326.exe
c:\Documents and Settings\All Users\Application Data\ip\e.exe
c:\Documents and Settings\All Users\Application Data\ip\FRed32.dll
c:\Documents and Settings\All Users\Application Data\ip\instr.ini
c:\Documents and Settings\All Users\Application Data\ip\SmartGeare.exe
c:\Documents and Settings\All Users\Application Data\ip\spoof.avi
c:\WINDOWS\system32\c_726535.nls

Adam went off to the main folder where all the nasty things reside, and found something interesting lurking:

Click to Enlarge

"Spoof.avi"? Well, hello there. Let's see what you get up to in your spare time:

Click to Enlarge

A "Your Codec version is too old" message, complete with popup in the bottom right hand corner telling you to "Update your Codec".

Is this FakeVimes variant designed to prevent you watching movies while making the creator some cash into the bargain? Let's take a look. Opening up a random website to view some files gave some interesting results.

This is what happened when Adam downloaded a video and tried to play it:

Click to Enlarge

"Windows Media Player cannot find the selected file".

Not to be beaten, he tried to stream the file instead. Then they schooled us with science. And a large popup.

Click to Enlarge

"Your player cannot display this video file. Click here to update the Codec".

At this point, you might be expecting infection files, but you're already infected. So what are they going to do?

This:

Click to Enlarge

"Home Codec pack and video converter suite: This version contains a full package of codecs enabling you to watch video in the best quality possible".

Yes, and my name is Elvis. Hitting the (extremely large) Purchase buttons will give you this "Show me the money" payment screen, asking you for up to $35.95 for the "Home" version, plus an optional $9.95 to "Protect your purchase" with an extended download service:

Click to Enlarge

Call it a hunch, but I think the best optional extra here is to run in the opposite direction from this particular fiasco. Of course, it makes sense for the people behind these attacks to start mixing things up a little - FakeVimes has been all over the news recently, and not in a "We love you, FakeVimes" kind of fashion. More like a "FakeVimes, we hate you and we want you to die" fashion as Google took the unprecedented step of warning millions of infected users about it last week. From the Google help page on this one:

A warning appears at the top of the search results page when we believe that the computer you're using is infected with malicious software, also known as "malware." Malware can be used to intercept your computer's connection to Google and other sites. When Google's system detects that a connection has been intercepted, it's likely that the computer was previously infected with malicious software.

With the heat coming around the corner, the FakeVimes people have decided to diversify into a sort of "Rogue Codec" market instead, and it looks like things could be interesting in Rogue AV land for a while as their otherwise glacier-like tactics ("You're infected, have some Rogue AV, thanks for the money") begin to change.

We detect this one as VirTool.Win32.Obfuscator.hg!b (v).

Christopher Boyd (Thanks to Adam Thomas for finding this one)

Correct Version Aversion

2011-07-22T11:02:00.001-04:00

Here's a site located at buburuzka(dot)com/xhupt/71093(dot)php offering up some fake Flash. Humorously, they don't seem to have taken much notice of the latest Flash Player version - compare and contrast:

Click to Enlarge

As you can see, a bit of a difference there. Of course, they're hoping the victims they attract to a scam like this won't pay much attention to what they're clicking on, never mind confirm that the Flash numbering offered matches up with reality.

We detect this as VirTool.Win32.Obfuscator.hg!b1 (v), another 2GCash clickfraud Trojan, and the VirusTotal score is currently at 5/43.

Christopher Boyd (Thanks to Patrick Jordan for finding this one)

.gov.np Site Serves Up Banking Phish

2011-07-22T10:03:00.000-04:00

This is the National Development Volunteer Service of Nepal located at

ndvs(dot)gov(dot)np/_vti_cnf/customer(dot)ibc(dot)htm:

Click to Enlarge

This is an unwelcome addition to the website in the form of a Lloyd's TSB Phish.

Click to Enlarge

It's still live at time of writing, but it's been reported so let's hope it's taken down and the site is cleaned up soon.

Christopher Boyd