A hidden Christmas greeting from Koobface

Researchers examining the directories of the URLs of some of the latest Koobface runs may stumble upon a Christmas greeting, directed at the security community:

Alex Eckelberry
(with thanks to a researcher who prefers to remain anonymous)

Iranian hacktivists hit Twitter site

Twitter was disrupted Thursday night by attackers who hacked Twitter’s domain name servers and rerouted Twitter traffic as well as posting their own banner on the micro-blogging services page. The service returned to normal by Friday morning.

Technology blog Mashable, attributed the attack to a group claiming to be the “Iranian Cyber Army.” Judging by the graphic they left, it appeared to be a hacktivist attack.

Story here.

Twitter blog.

Defacement graphic here.

Tom Kelchner

Data Doctor 2010 will make you sick

Our researcher Adam Thomas came across a new piece of ransomware today, an encryption trojan via our old "friends" iframedollars. It encrypts the files on your hard drive very rapidly if you’re unfortunate enough to be victimized by it.

It arrives through drive by downloads from malicious web sites. It’s also packaged with other malware.

1. The victim receives a message that the system is shutting down due to "Unrecognized disk driver command."



2. His system is then re-booted to safe mode and a message is displayed: "Windows has recovered from a serious error. Some files can be corrupted. Disk checking is strongly recommended."



3. Attempting to access a file, the victim receives the message "Unable to open the file due to data corruption". The repair file button downloads Data Doctor 2010, which of course runs in trial mode. It does, however, offer to repair one (1) file for you so you know it is "legitimate."




And, the pitch: pay $89.95 for a lifetime license. Additionally, these slime have the audacity to tack on a $1.50 activation fee.



Nice work Adam

Tom Kelchner

Insurgents in Iraq could see some drone videos with $26 software

Laptop computers captured from insurgents in Iraq contained software that enabled them to intercept video feeds from the unmanned drones that are seeing expanded use in the Middle East, according to the New York Times.

The drones, used by the U.S. military to monitor insurgent activities in Iraq and Afghanistan, also can be used to deliver air-to-surface missiles.

Thursday, the Wall Street Journal broke the story that insurgents were using Sky Grabber, open source software that costs $26, and a satellite dish to intercept the transmissions. Sky Grabber was designed to download satellite transmissions of movies and music.

Pentagon officials said transmissions from the drones can be encrypted, however, unencrypted feeds have been commonly used when troops on the ground with older laptops or handheld controllers need direct feeds from the drones or piloted aircraft. The military knew that the unencrypted signals could be intercepted, but made the decision not to encrypt local links for the sake of economy.

The U.S. military has been expanding its use of the video feeds to troops and is rapidly upgrading their equipment to take the encrypted transmissions.

Story here.

Tom Kelchner

Tales from the Crypt: malware rising from Google cached pages

The Internet Storm Center blog just ran a piece about a malware vector that hasn’t been discussed enough: the Google Cache.

An ISC blog reader named Greg recounted that he was browsing for information, found a site that was down and pulled up the Google cached page to get what he wanted.

The site was down because of a malware infection and the cached page, with hidden iframes intact, sent him to a malicious site that offered a rogue security product.

ISC blogger Daniel Wesemann wrote “The badware is currently delivered through the domain todolust-dot-com. The EXE changes about twice per hour, and has very low AV coverage (Virustotal). Microsoft and Sunbelt are currently the only two AV tools on Virustotal that do not seem to be perturbed by the rapid morphing of the EXE, and keep catching it reliably.”

ISC blog here.

Dancho Danchev wrote about the cached-malware vector two years ago.

Tom Kelchner

WiniGuard clones are coming thick and fast

Yesterday we blogged about the most recent rogue security product in the WiniGuard family, TheDefend. Patrick Jordan had observed that a new clone was appearing about every two days. Overnight the pace picked up and loyal blog reader Fatdcuk let us know about yet another. He left us a comment: “SysDefence went live about 3 hours ago. They're flying off the conveyor belt today.”

Patrick analyzed it and plunked it in the WiniGuard family, and our detections, as SysDefence.FakeSmoke.



The GUI is identical to TheDefend except the name.

Thanks Fatdcuk. Thanks Patrick.

Tom Kelchner

China restricts domain name registration

China is putting in place rules that would require a formal paper-based application system for those seeking domain name registration. The change would allow only businesses that have been licensed by the state to register domains. Ostensibly the move is to stop the distribution of pornography and other “bad stuff,” but some observers believe it’s simply one more attempt on the part of the Chinese government to stifle critical political comment.

It would seem as though this process could clean up one of the world’s worst domains for malicious Web sites, but there are some big, big loop holes, the usual percentage of corrupt officials being an obvious one.

Researchers at Trend Micro also found a very large vulnerability in the system. The process allows applicants to register domains immediately, but gives them five days to submit their documentation. So, malicious sites will be able to operate in the notorious .cn domain for five days before obtaining a new five-day domain. Five days is a long, long time for the Internet criminal underground.

Sunbelt researcher Patrick Jordan said he’s observed that some rogues and other malware use an elaborate system to point to a new malicious download site every few hours, often in a cycle as short as 6-12 hours.

Story here.

Trend blog here.

Tom Kelchner

Loss of availability: laptops among prime targets for air cargo thieves

The Wall Street Journal carried a piece about the theft of valuables from luggage and the luggage itself at airports. An increase seen in the last five years is being blamed on the bad economy and reduced security caused by cost-cutting measures. Airlines are not liable for the thefts under existing rules.

A spokesman for the Portland, Ore., airport said baggage thefts are up about 50 percent this year and a prosecutor in the Queens County, N.Y., district attorney’s office said "There's been a tremendous increase in the last five years. It's pretty bad—a lot is getting stolen every day."

Laptop computers, iPods and electronic game systems are among the most popular items with thieves.

“Carousel thieves” – outsiders who simply steal other peoples’ baggage and walk out of the airport with it – are one threat. The other is theft by employees who take valuables from luggage, sometimes to sell on eBay. The insiders often switch routing tags to reroute the victim’s bags and confuse investigators.

Tips for avoiding losses:

-- Don’t put valuables like jewelry or electronics equipment in luggage. Small items are the highest risk.

-- If you can’t take valuables in carry-on luggage, ship them. You can insure items with shipping companies.

-- Luggage locks are no protection. They’re easily opened.

-- Report thefts immediately to the airline you’re flying on and the U.S. Transportation Security Administration.

-- Put colorful tape or ribbons on your luggage to make it easily visible.

-- For those who travel a lot with laptops: be sure valuable information is encrypted. Although most thefts are simply for the equipment, it isn’t out of the realm of possibility that thieves could try to exploit the contents of your hard drive if they can figure out a way to make money.

Story here.

Tom Kelchner

Dismal statistics: Project Honey Pot marks one billion spam messages

Project Honey Pot has reported that sometime in November it received its one billionth spam message.

“Every time Project Honey Pot receives a message we estimate that another 125,000 are sent to real victims. Our billionth message represents approximately 125 trillion spam messages that have been sent since Project Honey Pot started in 2004,” they said.

Their very well-written report contains a load of other information as well, like the fact that most of the spam in the world probably originated in the U.S., though the bot-infected machines that spew it out can be anywhere.

The report also said: “we've seen the word ‘Viagra’ spelled at least 956 different ways.”

Report here.

Tom Kelchner

Google Doodle search results poisoned

Rogue anti-virus vendors yesterday used search engine optimization techniques to poison the Google search that resulted from visitors clicking on the Google Doodle – the art that periodically appears above the edit box on the Google front page.

The Doodle, a rendering of the Esperanto flag, was intended to draw attention to the fact that it was the 150th anniversary of the birth of Polish linguist L. L. Zamenhof who invented the Esperanto language.





Half of the sites that appeared as top hits in the Google search had been hacked and redirected visitors to malicious sites that presented scareware warnings and tried to sell rogue anti-virus products.

A researcher at Barracuda Labs was quoted as saying that malicious operators have been working hard recently to steal FTP login information. Getting access to Web sites via FTP would allow them to post code that would redirect visitors to other sites that would download the malware.

ComputerWorld story here.

Tom Kelchner

 

Like clockwork: the next member of the WiniGuard rogue family appears

Friday we blogged about the three generations of the WiniGuard family of rogue security products that began in October of 2008. Friday, the 50th rogue in that line appeared. Analyst Patrick Jordan noted that there appeared to be a newly named clone added to the “genealogy” about every 48 hours. He’s been right.

Monday we found GuardPCS and today we found TheDefender. Its associated web site was registered Dec. 4.

Fraudulent operators behind the rogues seem to be doing two things to confuse Internet users and lure them into purchasing this worthless scare ware:

-- “Borrowing” content from legitimate anti-virus company web sites, such as certifications and management team pages, for their own web pages.

-- Distributing their rogues with different names and with redesigned graphic interfaces. They usually have web sites associated with the new name. They look like authentic security products, but, as the song said they “take the money and run.”




See our earlier blog entry about the WiniGuard family of rogues.

Thanks Patrick

Tom Kelchner

“10 million people will you computers are perfectly safe”

New rogue borrows massively from AV company sites

Our friend M.N. Bharath drew our attention to this web site associated with the new System Adware Scanner 2010 rogue security product. Although the group claims 10 million users world-wide, oddly enough their site was only registered Nov. 25.

It seems they also have recruited the entire management team from AVG anti-virus company as well. Right!

Compare the names on the Smart Systems Technologies rogue page. http://sysadscanner.com/about.php



with AVG’s: http://www.avg.com/us-en/management-team




If that isn’t enough to raise your suspicions, check out the Engrish on this page: http://sysadscanner.com/why.php



Thanks M.N.

Tom Kelchner

Dangerous web searches

Don’t go there. There are a lot of rogue downloaders hiding in those links.



Thanks Adam

Update, 5 p.m. EST

Yahoo CEO Carol Bartz, speaking at the UBS Media and Communications Conference in New York, said the Tiger Woods sex scandal was a better traffic generator than the death of Michael Jackson, according to the ZDNet blog.

Tom Kelchner

FBI warns about rogue security products

The FBI has issued a warning about rogue security products, estimating the loss from the malware so far at $150 million.

The bureau also posted a link where victims can report the scams: the Internet Crime Complaint Center (IC3) at www.ic3.gov/default.aspx
FBI news release here.

Tom Kelchner

Never judge a book by its cover nor a Web site by its pages

Case in point: findproper.org



These are the types of sites that are used to download from third party affiliate sites. If the setup.exe had run, it would have installed the AntiMalware rogue.

VIPRE catches and blocks the Trojan installer.

See Sunbelt Rogue Blog here.

Patrick Jordan

Down with bloatware

Yeah, he has a point.

It killed the dinosaurs and it's killing us. As if that wasn't bad enough, our software is going the same way. Try as we might, the constant drive for things to get bigger seems irresistible. Bloatware rules. In an age in which every hardware device seems to be shrinking to near invisibility, why is it that the same isn't happening to our software? Isn't it about time that we demanded less, not more?

Link.

Alex Eckelberry

The biggest rogue family

The third generation of WiniGuard gets a new clone every 48 hours

A new rogue security product called IGuardPC, that we added to detections today, is the 50th clone of the WiniGuard family of rogue security products. That makes WiniGuard the largest rogue family ever detected by Sunbelt researchers.

The WiniGuard family began in September of 2008. Operators behind it have added variants that our researcher Patrick has sorted into three generations. The latest generation gets a new clone about every 48 hours to stay ahead of public awareness and anti-malware detections. Most of them are being caught by existing VIPRE detections.

First Generation

The first generation of WiniGuard used the site winiguard.com. It was created Sept. 17, 2008, by the same group who probably began circulating rogues using macguard.net, which has the same IP address. WiniGuard installed five files.



Second Generation

SaveKeep, first found August 17, marked the beginning of the second generation. This was distinguished by the use of two files instead of five.




Third Generation

On Oct 17 the TREAntivirus rogue opened the third generation with a new GUI interface.



Today’s IGuardPC makes a total of 50 clones -- the largest family we’ve ever found:



WiniGuard rogues by generations

First Generation
10/13/2008 WiniGuard
1/29/2009 WiniBlueSoft
2/20/2009 WinBlueSoft
5/17/2009 WiniFighter
8/12/2009 WiniShield

Second Generation
8/17/2009 SaveKeep
8/24/2009 Savesoldier
8/26/2009 TrustNinja
8/27/2009 SaveDefense
8/28/2009 SafetyCenter
8/29/2009 BlockDefense
9/3/2009 SystemCop
9/11/2009 SafetyKeeper
9/17/2009 SoftSafeness
9/18/2009 TrustWarrior
9/19/2009 SaveDefender
9/22/2009 SaveArmor
9/25/2009 SecurityFighter
9/26/2009 SecuritySoldier
9/28/2009 SecureVeteran
10/2/2009 SecureWarrior
10/5/2009 TrustCop
10/8/2009 SafeFighter
10/9/2009 TrustSoldier
10/13/2009 TrustFighter
10/19/2009 SoftCop
10/21/2009 SoftVeteran
10/23/2009 SoftStrongHold
10/27/2009 ShieldSafeness
10/28/2009 SoftBarrier
10/30/2009 BlockWatcher
11/1/2009 BlockScanner
11/2/2009 BlockKeeper
11/4/2009 BlockProtector
11/7/2009 SystemVeteran
11/9/2009 SystemFighter
11/11/2009 SystemWarrior

Third Generation
10/17/2009 TREAntivirus
11/11/2009 AnitAid
11/17/2009 LinkSafeness
11/17/2009 SiteVillain
11/18/2009 SecureKeeper
11/24/2009 KeepCop
11/26/2009 ReAntivirus
11/27/2009 RESpyWare
11/30/2009 AntiAdd
12/3/2009 AntiKeep
12/7/2009 AntiTroy
12/9/2009 SiteAdware
12/11/2009 IGuardPC

Research by Patrick Jordan

Tom Kelchner

DefenceLab rogue home site has lots of borrowings

There are some “interesting” similarities between the home page of the DefenceLab rogue and the web pages of some legitimate anti-virus companies.

Our good friends at McAfee alerted us to some of this then Patrick Jordan and Alex Eckelberry took a closer look at the Web site associated with the new DefenceLab rogue that we reported on earlier this week.

DefenceLab was the one that directs the potential victim to a Microsoft Support page, but injects html code into the page in his or her browser to make it appear as though Microsoft is suggesting the purchase of the rogue.

Here’s what we mean by “interesting” similarities:

The “Awards” page was lifted from AVG’s “Awards-References” page right down to a dead link to the ICSA site. (AVG really has ICSA certification and DefenceLab is really malware.)

DefenceLab: http://defencelab.com/about/awards
AVG: http://free.avg.com/ww-en/awards-references

The “License Agreements” also came from AVG:

DefenceLab: http://defencelab.com/about/license
AVG: http://free.avg.com/ww-en/eula

The “Company Profile” was lifted from the Mitnick Security Consulting LLC. site:

DefenceLab: http://defencelab.com/about/profile
Mitnick Security: http://mitnicksecurity.com/company.php

And guess where DefenceLab got its privacy policy:

DefenceLab: http://defencelab.com/about/privacy
Sunbelt: http://www.sunbeltsoftware.com/About/Privacy/

They did leave out one paragraph from Sunbelt’s text though:

“You may send an e-mail or letter to the following e-mail or street address requesting access to or correction of your personally identifiable information:

“Privacy Manager. . “

Tom Kelchner

Is botnet C and C headed for the cloud?

Researchers at HCL Technology, a strategic partner of CA, found a hacked server on Amazon’s Web Services’ cloud infrastructure working as a command-and-control server for the Zeus botnet. The researchers said the intruders probably found a server -- a “target of opportunity” -- and hacked it to install their malware. The Zeus server has been removed. The Zeus botnet has been responsible for losses of over $100 million, mostly from bank fraud.

Security company Arbor Networks in August found a botnet using Twitter as a command-and-control channel for its bots.

In September, Symantec researchers found the Chinese-language Grups Trojan using the Google Groups newsgroup escape2sun to distribute commands.

Want to make any predictions?

InfoWorld story here. “Hackers find a home in Amazon's EC2 cloud”

Register story from August: “Twitter transformed into botnet command channel”

Register: “Trojan taps Google Groups as command network“

Tom Kelchner

New malware domain clearing house

In addition to the several malware domain clearing lists available on the net, Paretologic has added their own, available at http://mdl.paretologic.com.

(We also have one, ThreatNet, available as a service to OEMs and security organizations).

Alex Eckelberry

 

Rebranded rogue claims to be McAfee Secure certified

Patrick Jordan found this malicious little nugget today: Internet Security 2010. It’s a rebranded clone of Advanced Virus Remover, a rogue security product that we first found in June (Sunbelt Rogue Blog entry here.)



It’s one of your run-of-the mill rogues, using run-of-the mill scare tactics, except its payment screen contains a static graphic that imitates the McAfee Secure certification.



A real “McAfee Secure” certification is a DAILY certification, it contains the date and its logo should look like this:



When you click on it, it should take you to the McAfee Secure rating verification page: https://www.mcafeesecure.com/RatingVerify that gives the name of the certified web site and the “Status.”



More info about the program here.

VIPRE catches the installer that is also the rogue’s exe module:



While the rogue is active it also blocks all other applications.



The list of download sites for Internet Security 2010 is the same VX Cactus group that ran the vxgame malware operations from Jan 2005 until Nov 2008:

193.104.110.50 buy-internet-security2010.com
193.104.110.50 downloadavr13.com
193.104.110.50 testavrdown.com
193.104.110.50 vscodec-pro.net
193.104.110.50 vsproject.net
193.104.110.50 white-xxx-tube.com
193.104.110.50 white-xxx-tube.net
193.104.110.50 xxx-white-tube.biz
193.104.110.50 xxx-white-tube.net
193.104.110.50 pc-scanner-2010.org
193.104.110.50 avrdownnew8.com
193.104.110.50 pc-scanner-2011.org
193.104.110.50 pc-scanner-2011.biz

Thanks Patrick.

Tom Kelchner