Faulty Fiverrs

Fiverr is an excellent site that allows you to buy / sell services – all of which cost $5.

There’s all sorts of crazy things on there, but does it attract rogues and individuals who generally want to mess up your day?

You bet. With a little furtive digging you can uncover all sorts of dubious antics up for grabs – for the low, low price of $5!

There’s this guy, who is selling an XBox Live account (not something we’d advise purchasing, as more often than not XBox Live accounts up for sale have been phished):



We also have someone claiming they can “unlock all achievements” in your games. This will be done by using custom made software to tamper with the data on your XBox profile (again, not advisable) and unlock all the gaming achievements artificially.


Click to Enlarge

Note that unless they do it the “right” way (and this is a very tricky thing to pull off), Microsoft can easily tell which profiles have been fiddled with leading to a banhammer – and there’s no guarantee the seller will give you your account back at the end of it.

The Playstation network isn’t safe from these kinds of sales either:


Click to Enlarge

Moving the notch up a little bit, you can find a lot of spreading guides and hacking tutorials (cpalead surveys and i-stealers are popular topics of conversation):


Click to Enlarge



Can we find guidance on how to phish accounts and sell them on for a profit too? You bet:


Click to Enlarge

Some users also spend their time offering up “undetectable keyloggers”:



I’m not entirely sure what the deal is with the odd Blue Steel pose there, but if you really want to be annoying you can find people who will happily delete accounts on sites such as Facebook:



Ouch.

I don’t know about you, but I’m going to stick to “Learn to be a Ninja” and “Will sing any song in Hindi for $5”.

Christopher Boyd

GFI/Sunbelt Labs quarterly briefing is on Web

“Turn the Tables on the Bad Guys, Malware Unmasked”

The Sunbelt Labs quarterly briefing “Turn the Tables on the Bad Guys, Malware Unmasked” is available for your viewing pleasure.





Schwartzkopf began by describing GFI's recent acquisition of Sunbelt Software. Schwartzkopf said the move will enable GFI to merge innovative VIPRE technology into GFI’s email and Web security products and move into new markets.

The presentation features a 25-minute PowerPoint presentation and 20 minutes of Q&A.

In the presentation, Glenn and Jack discuss the details of the TDL 3 (TDSS or Alureon) rootkit and the Sunbelt Labs CWSandbox.
(click to enlarge image)

They credit CWSandbox with VIPRE’s recent showing in Virus Bulletin’s Reactive and Proactive (RAP) analysis of detection rates. VIPRE was evaluated as the AV engine with the highest proactive behavioral detection rate.

Glenn and Jack also discussed their analysis of the zero-day Stuxnet exploit, the first malicious code that can infect 64-bit systems running Windows 7.
Next webinar: December 8, 9 a.m. and 2 p.m. Eastern Time

Sign up here.

(click to enlarge image)

Tom Kelchner

The Master of all you Survey

Here’s a cheeky one. On the Greasemonkey script site Userscripts(dot)org, there’s a script claiming to banish all those horrible surveys that keep "free" downloads out of your reach forever.

Sounds good, right?


Click to Enlarge

Well, let’s fire up the install process. I can hardly wa -



…hang on, “download the REAL SCRIPT from here”?

Can you guess what is lurking at the download location?


Click to Enlarge

Attempting to hide a "survey bypassing script" behind...a survey? Whoops. “You should only install scripts from sources you trust” is on the install box for a reason…

Christopher Boyd

Microsoft releases work-around tool for DLL loading vulnerability

Microsoft has posted an advisory that explains the "DLL preloading attacks" and offers a work-around tool that “allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis.”

When an application loads a .dll file, but doesn’t name a full path name,Windows searches a pre-defined set of directories for it. Exploiting this, an intruder could social engineer a victim into loading a malicious .dll from a USB drive or from a network and execute arbitrary code.

Advisory here: Insecure Library Loading Could Allow Remote Code Execution

Tom Kelchner

Human factors: drunken employee blasts server with .45 handgun

Dude! Chill! EVERYBODY wants to shoot them!

A variety of news outlets are reporting an incident in Salt Lake City in which an employee of a mortgage company allegedly got drunk at a concert, returned to his office and put several .45 caliber bullets into a company server with a handgun. Damage was estimated at $100,000.

According to police, Joshua Lee Campbell, who worked for RANLife Home Loans, is facing charges of:
-- felony criminal mischief (second-degree felony)
-- carrying a dangerous weapon while under the influence (class B misdemeanor)
-- providing false information to police (class B misdemeanor)

Police said Campbell told them he’d been beaten, robbed of his gun and given drugs by his attackers. When police interviewed Campbell’s friends, however, they said he had threatened to shoot the machine.

Most news outlets played the story straight, though some couldn’t resist the humor. RightPundits.com accompanied the story with a clip from the movie “Office Space” of three guys destroying a computer with a baseball bat.

KAKE TV in Wichita, Kan. Ran the headline: “Employee Tries To Reboot Computer With Gun”

Tom Kelchner

Fake Pokemon MMORPG chooses you, Pikachu

I’ve been seeing a lot of questions pop up in relation to a website involving a “free Pokemon MMORPG”.


Click to Enlarge

Shall we take a look?

The site in question is (of course) pokemon(dot)awesomefreegames(dot)net. You’re promised an awesome MMORPG that involves PvP duels, hunting for Pokemon, trading, sea hunting, hidden locations “and more”.


Click to Enlarge

Note the server indicator at the top, which claims there are 685/700 spots being used.

It all looks very nice:


Click to Enlarge

Is this going to end in disaster? Why yes, it is.

Click any of the “Play Now” buttons and a prompt for Hotbar appears:


Click to Enlarge

Notable: the minimum age to install is 18+…but how many over 18s play Pokemon? anyway, assuming the end-user installs Hotbar and any optional extras, they’re then taken to another page:


Click to Enlarge

Amazingly (or not), the Hotbar install isn’t enough - they now want you to fill in a survey because “the game is hosted on a dedicated server”. I guess running a Pokemon game costs a lot of money! Again, given that the end-user may well be under 18 you probably don’t want them filling in any of that stuff.

Can we get to the download now?



The “game” is available from two download locations. One of them is on free webhosting at Tiscali, and this one is a mess – many of the files inside the zip are password protected, and attempting to run the Exe will make your desktop look like this:



Yes, your PC is pretty borked. Not because the file is malicious – probably because half the bits and pieces it needs to work are still locked away in the Zip. The other download works a lot better, installing the “Pokemon MMORPG” in one go.

So far, we’ve braved a Hotbar install, a bunch of random surveys and played Russian Roulette with download links that might bork your computer if you run the wrong one.

Awesome.

The best is yet to come, however. After all of the above messing around, this is what you end up with:


Click to Enlarge

It’s very…uh…brown. Open up the help file, and you’ll probably realise you’ve just been fooled into installing programs and taking surveys to get your hands on…


Click to Enlarge

…a very feature limited demo that looks absolutely nothing like the game advertised on the website. Did the website creator just grab a random (and unrelated) demo freely available elsewhere and build a nonsensical MMORPG website around it?

Yep, I think they did. Feel free to steer clear of this one.

Christopher Boyd

New Trojan offers a choice of rogue security products

You get to choose your poison.

A Trojan that pretends to be a Microsoft security function is popping up something new.

Basically, it mimics the idea of VirusTotal, ( http://www.virustotal.com/ ) a site which enables you to see how 40 legitimate security companies identify a sample of malicious code that you submit.

The Trojan copies files into multiple folders under different names. After five to 15 minutes they generate a fake alert pop-up window:

(click graphic to enlarge)

After you click ANY of the four buttons on the scary “Potential threat details” screen, it takes you to a web site that shows you how different anti-malware products allegedly identify the malware that is (not really) on your computer. It includes a long list of legitimate ones, which oddly enough find no infection on your machine.

However, the display shows that four of them (which are NOT legitimate security products) have identified malicious files. Just by coincidence, those are also the ones that have a “free install” button listed next to their names.

Four of those buttons lead to rogue downloads:
-- Red Cross Antivirus
-- Peak Protection 2010
-- Major Defense Kit
-- Pest Detector4.1 (lower on page, not shown in screen shot.)

And, of course, you know the drill. Although the installs are "free" they pop up scary warnings that your machine is infected, but don't remove the threats until you pay.

(click graphic to enlarge)

Red Cross Antivirus is the third rogue in the FakeRean family (third generation.)

(click graphic to enlarge)

Peak Protection 2010 is the second rogue of the FakeRean family's third generation:


Major Defense Kit

(click graphic to enlarge)

Pest Detector4.1 is the first rogue of the FakeRean family's third generation:

(click graphic to enlarge)

The rogues install themselves as antispy.exe and tmp.exe in %local_settings%\Temp and run. VIPRE detects them as Trojan.Win32.Generic.pak!cobra.

The install reboots your computer, kills Windows Explorer (which is what displays your desktop) and leaves you with no icons on your desktop. Using Task Manager, however, it is possible to launch Windows Explorer restore the icons to the desktop.

VIPRE identifies the initial fake alert as Trojan.Win32.FakeAlert.FakeAV-EI

Here is what the real Virus Total page looks like:

(click graphic to enlarge)

Thanks Patrick.

Tom Kelchner

Miss Universe SEO poisoning (surprise surprise)

Our alert analyst Adam found this one, although we don’t know why he was doing web searches for “Miss Universe 2010.” He clicked on one, expecting to see long legs. Instead, he saw this pop up:

(click image to enlarge)

VIPRE detects it as FraudTool.Win32.SecurityTool (v)

The really mangled English should have given that away – for native speakers, anyway.

Clicking “OK” lead to this rogue:

(click image to enlarge)

The rogue “Security Tool” has been around since last October. We posted it on the rogue blog here.

Thanks Adam

Tom Kelchner

FedEx-package malicious spam again (still)

Oh sure! Print out the attachment. Pay no attention to what’s inside the .zip file!





Here’s what was left inside the .zip file after our Ninja Blade email security installation scanned it:



If you’re curious, it was zbot.

Thanks Kara.

Tom Kelchner

Scammers let Facebook users take up the spam reigns

Here’s an odd collection of websites promising lots of free Facebook goodies, including “Free Texas Holdem Poker Chips” – one million chips, to be exact.

Sounds great, doesn’t it? Unfortunately, all we’re left with is proof positive that too many people will click anything put in front of them – no matter how silly the initial promise.

Here’s the website, located at starringmovie(dot)net/secretchips(dot)html:


Click to Enlarge

Underneath the blurb, we can see how many people have been jumping through hoops to obtain their free chips:


Click to Enlarge

Facebook users are asked to paste a spam message “5 times anywhere on Facebook”. The spam reads “Omg it’s real, they just send me 1M chips for free – check it out [url removed] – you got nothing to lose”.

I particularly like the recommendation to plaster it all over the official Texas HoldEm page. “You got nothing to lose”? You have nothing to gain, either. 6,833 Facebook users have hit the “Like” button, and the two “Share” buttons are being put through their paces too with 4,165 users sharing the free chips page and 1,128 users sharing starringmovie(dot)net, which is a bunch of ripped movies streamed from various sources.

Once you’ve promoted both portals, they dangle a not-very-impressive splash page in front of you, finishing off with some underwhelming text.

Here’s the splash:



And here’s the text:



Yes, they want you to send them your Facebook Username and associated EMail address, which smacks of targeted marketing and lists you probably don’t want to be on.

For anyone holding onto the vague hope of chips arriving in your mailbox sometime soon, here is your wake up call. Please don’t get suckered into these kinds of deals – the only person that benefits from all the gruntwork you put in is the site owner themselves.

As a matter of fact, the above message is hosted elsewhere, at elite-slots(dot)com/chips(dot)html. That domain also has an “offer” for another Facebook application, located at elite-slots(dot)com/treasure(dot)html.


Click to Enlarge

How many people shared this one?



Yes, that does say 16,000.

Worse, after clicking through to get my hands on the “reward”, I was dumped at another URL, shikoshlir(dot)com/facebook.


Click to Enlarge

Anyone entering their login information will be taken to a .php page hosted at the same site – we reported all of the above sites to Facebook, and all of them including the Login page have quickly been suspended and taken offline. If you or your friends have encountered Facebook logins related free prize websites, you may want to change your login details to be on the safe side.

I doubt we’ve seen the last of this one…

Christopher Boyd

TWot Bot attempts a headshot

The last few weeks, discussions have been bouncing around IRC in relation to a “guaranteed Twitter headshot”. While the downloads linked to were protected by a Sharecash gateway (think “useless survey”), it wasn’t too hard to find a version uploaded elsewhere. Depending on the mood of the individual controlling the infection file, you’ll either fall victim to a random annoyance or a few hours of face punching horror. Shall we take a look?

Presenting…the TWot Bot Builder.


Click to Enlarge

As you can see, these days it’s all about the Twitter. “TWot Bot” consists of a very straightforward builder that lets you enter your Twitter name, then hit the Create button. You’ll end up with a file called “Server.exe”, which contains the Twitter username you entered into the builder.

The file is sent to the victim(s), and assuming they run the executable the attacker simply has to fire up their Twitter account and send some instructions to the compromised PC.

Server.exe accepts just two commands – “Shutdown” and “Destroy”.



As you’ve probably guessed, Shutdown attempts to shutdown the PC. Destroy is rather nasty, attempting to delete the file hal.dll.

You don’t want to delete hal.dll.

If you don’t have a recovery CD, it could be a bit of a pain to get hold of your data and put it somewhere safe (you do have backups, right?)

Curiously, the infection file lists both your Twitter Username and one seemingly inactive Chinese account. While this account could theoretically take control of every infected machine, it is still sitting around doing nothing – not that I’m complaining!

Shall we take a look at detections? The infection file comes up as 5/42 on VirusTotal, which unfortunately is a bit on the low side. The Builder program shows as 1/42 (that would be us), so if you have someone playing around with it on your network it’ll be stomped into the ground. Keep your eyes peeled for Backdoor.Win32.Twotbot.A!

Christopher Boyd

Facebook login phishing

Funny, that ISN’T the Facebook URL

Here’s one of the latest Facebook phish attempts: videos of “beautifull” girls:

It might look like the Facebook login page, but, check out the URL. I don’t think you want to log in to Facebook there.


(Click to enlarge)

Tom Kelchner

Microsoft: drive-by Trojan preying on out-of-date Java installations

A piece by Marian Radu on Microsoft’s Technet Blog is warning that users who have failed to update the Java Runtime Environment (JRE) on their machines are vulnerable to drive-by downloads by a Trojan called Unruy. That Trojan has been associated with rogue security products. Radu said the vulnerability (which was patched in March) is being actively exploited.

Browsers running JRE versions up to version 6 update 18 are vulnerable. The current JRE version today is version 6, update 21.

Microsoft Technet blog piece here: “Unruy downloader uses CVE-2010-0094 Java vulnerability”

 Users can easily check their version of Java and download necessary updates here: http://www.java.com/en/download/manual.jsp




Tom Kelchner

 

Blogging: what do you call the bad guys?

How about “ass hats”

Yesterday in a computer security blog piece (which was taken down overnight), a writer referred to the person who launched malicious code as an “ass hat.” I kind of liked that. It’s a bit opinionated, but probably sums up what everybody thinks of them.

Every security writer struggles with the problem of what to call the “bad guys.” The struggle reflects the very wide and massively complicated field we work in. “Bad guys” is imprecise and informal, though. There are a lot of flavors of “bad guys.”

“Criminals” seems to cut through a lot of the linguistic haze. In a string search through all my blog pieces since 2009, I see that I’ve used that more than any other word. “Bad guys” came in second and “malicious operator” third.

The “white hat/black hat” distinction is useful in big, generalized discussions of computer security issues too. It captures the strange boundary that exists between activities like penetration testing and hacking a system for theft or malicious purposes. They both involve pretty much the same skill set and same work.

Another good phrase that’s useful in discussions of the big picture is “the dark side.” That’s got great Gnostic, philosophical sound to it. If the criminals are the “dark side” that means those of us in the security community are fighting on the side of “the forces of light.” (We need tee shirts!)

“Malcode writer/distributor” is a good, precise handle for people who do that. Malcode writing kits have been around for a while and the specialization in the world of organized crime, however, mean that the one distributing malcode may not be the one who created it.

“Botnet operator” describes people who run botnets. Again, they may or may not be the actual people who write the malicious bot code since crime-ware kits can automate that.

“Malicious operator” isn’t that great, but, hey, you have to call them something and sometimes nothing else really works.

“Spammers” are, well, the original ass hats in most people’s thinking. Again, they're specialized, although there’s a cross-over with “botnet operators.”

A former colleague of mine, who began his career as an Army security officer, often used “miscreant” and “actor.” Both are great English words, but they seem a bit formal.

“Intruder” works when you’re talking about somebody exploiting vulnerabilities and running code on somebody else’s machine or downloading data from a poorly secured network or machine. “Intruder” also sidesteps the huge controversy over the word “hacker,” which you simply can’t use any more.

“Hacker” is waaaaay too loaded to use in any circumstance. It began life years ago with a wonderful idealistic, romantic aura. For a while, “hackers” were smart, clever and tireless young explorers who tracked down the arcane details of those new computers. Every kid who learned Basic wanted to be one. There were movies that portrayed them as picaresque heroes, bringing down the hostile alien space craft by hacking its network (which inferred 1. bad password security even in outer space and 2. a strange compatibility between Mac laptops and the AlienOS.)

That romantic image crashed suddenly. I remember the day when the above-mentioned colleague, wrote about the discovery that “hackers” were working with organized crime groups, largely in Eastern Europe, to make money. He wrote something like “hacking is no longer for fun, it’s for money. Hacker = criminal. Get over it.” It was a sad end-of-innocence moment but a lot of people want to cling to that romantic image. So, it's best to simply not use the word.

Decent kids interested in computer security and on their way to CISSP certifications are still “hacking” of course, but the name was tarnished beyond all recognition. We can just hope that more join the forces of light than join the forces of darkness.

Tom Kelchner

Feds will not bring charges in Pa. school webcam spying case

Philadelphia news radio station KYW is reporting that U.S. Attorney Zane Memeger has announced that no federal criminal charges will be brought against officials of the Lower Merion School District near Philadelphia in Pennsylvania, in a much discussed webcam spying investigation.

The FBI investigated after it was revealed that district personnel had switched on the web cams on school-issued laptop computers and took tens of thousands of webcam images of students in their homes.

The district used the remote management capability to track down lost and stolen computers. In earlier stories it was reported that investigators found that in many cases, the district IT personnel neglected to turn the monitoring system off and the system stored tens of thousands of webcam photos. There was no record that anyone had ever viewed the stored photos, they said.

Two lawsuits have been brought against the district in connection with the webcam recordings.

Story here: “No Federal Charges in Lower Merion “Spycams” Case”

We reported on this on the Sunbelt blog here “Lower Merion spyware case: details emerge”

And here: “FBI will investigate Pa. school district webcam spying”

Tom Kelchner

The bad guys are going after the Pirates

File-sharing organization Pirate Bay has been controversial for a long time, like maybe the length of its entire existence. It’s been in the news recently because a number of governments are trying to shut it down. That’s a situation ripe for social engineering.

Our analyst Matthew Mesa found this scheme this morning: a number of typo-squatting sites carrying the following. (Note: the REAL Pirate Bay site is thepiratebay.org.) What would lead a victim to this? The phony site piratebay.com (below) comes up as the third result on a Google search for “piratebay” or fourth for “pirate bay."


(click to enlarge)

The phony sites we found were:

http://htepiratebay.org/
http://piatebay.org/
http://www.piratesbay.org/
http://piratesbay.com/
http://piratebay.com/
http://thepriatebay.org/
http://thpiratebay.org/
http://thepiratesbay.org/
http://thepirateby.org/
http://www.thepiratbay.org/
http://videobay.com/
http://piratebay.com/

OK, we thought we see click the download button (kids, don’t try this at home) and see if the software really is “. . . safe and keeps me protected.”



(Click to enlarge)

Short answer: “no.”

It tries to download a file called “eMuleSetup.exe” from a site registered to Hotbar, Inc. VIPRE detects it as “Pinball Corporation. (v)”

The real Pirate Bay site is NOT posting any warnings.



Thanks Matthew and Adam.

Tom Kelchner