November 6th, 2006

Zango, the FTC, MySpace and You Tube

Posted by Suzi Turner @ 6:18 pm

Categories: Spyware/adware news, Spyware/adware warnings

Tags:

This past Friday, the FTC announced a $3 million dollar settlement with Zango, formerly named 180solutions, in a lawsuit charging Zango with unfair and deceptive business practices, among other things. See ZDNet story here with more details. FTC announcement here.  Case documents can be downloaded here.

As usual Zango refuses to take responsibility for anything, again blaming it on their naughty affiliates. From the ZDNet article:

Zango's executives pointed a finger elsewhere, claiming that the federal violations were due to third-party distributors rather than the software manufacturer itself. "We relied too heavily on our affiliates to enforce our customer notice and consent policies," said CEO Keith Smith. "Unfortunately, this allowed deceptive third parties to exploit our system to the detriment of consumers, our advertisers, and our publishing partners." Smith went on to say that Zango would "embrace the new standards" required by the FTC.

Er, cough.. cough.  SOS, different day. How long have the anti-spyware bloggers been writing about this now? Ben Edelman wrote about 180solutions installation methods in July 2004. Eric Howes summed up 180solutions' activities in 2005 with links to over 60 news stories and blogs.

I spoke with Ben Edelman about the FTC's settlement with Zango.  Ben states he has proof that Zango is currently not in compliance with the FTC agreement.

180 continues plenty of bad practices, including some unlabeled ads, materially misleading installations that fail to disclose key aspects of 180's effects, and installation attempts predicated on security exploits. I have the proof, and I expect to post this on my web site in the coming weeks, subject only to my busy travel schedule.

I commend the FTC's efforts here, but serious diligence will be required to assure that 180 actually complies with its many obligations under the settlement. At this instant, I am confident that 180 is not in compliance.

Are we surprised?  Paperghost of Vitalsecurity blogged on Saturday, after the FTC announcement, that Zango download prompts are appearing along side the Licat IM worm.  Another rogue affiliate, I suppose. 

Today Websense released an alert titled Fraudulent You Tube video on MySpace installing Zango Cash.

Websense® Security Labs^TM has discovered a number of user pages on the MySpace domain which have videos that look like they are from You Tube. The videos have an installer embedded within them for the Zango Cash Toolbar.  When users click on the video, they are directed to a copy of the video, which is hosted on a site called "Yootube.info."

There are screenshots and a video.  It must be the naughty affiliates again.  What next guys? 

October 26th, 2006

Halloween sites tricking users with malware

Posted by David Grober @ 8:07 pm

Categories: Spyware/adware warnings

Tags:

Update October 27: This morning I contacted the owner of listed sites. The sites were indeed hacked, and the owner has since removed the malicious code from the web pages.

This is a nasty trick! There are a few Halloween sites being used to distribute malware, right at the time when unsuspecting web users might be searching for Halloween sites for fun. Patrick Jordan, aka, Webhelper has posted the details here with a screenshot of the code with iframe links to a well known malware distribution site.

The sites to avoid are:

Halloweensites.net, nwnlostsouls.com, vampirekits.com, and on the same IP address, but not a Halloween site, sudokugameboard.com. Other on a different IP address, californiaparanormalsociety.com and heatherclark.info are also poisoned with the iframe links. The links go to the domain and IP whois information at domaintools.com.

It’s not clear to me if these websites might be hacked, or if they are intended to push malware, but I suspect they are hacked sites, especially since one of them, vampirekits.com, has content for the hosting company, Webair.com. Before posting this, I contacted the support phone number for the hosting company, Webair.com, and spoke to a support person who would not give me his name. This person said he was unable to do anything and I should email their abuse reporting address or call back in the morning. Not cool! Earlier this week I contacted another ISP about a hacked site, and the tech support people had the site down in less than 30 minutes, and that was about 3:00 AM their local time.

Patrick Jordan also posted information about the group behind the malware distrubution site, and listed other sites in the same group. All should be avoided.

October 10th, 2006

Malware being spammed as PDF from retail stores

Posted by Suzi Turner @ 8:41 pm

Categories: Spyware/adware warnings

Tags:

Reports surfaced today of spam purporting to be from Dell, Walmart, Circuit City or Sony confirming an order for a Sony Vaio computer with a PDF attachment, but the attachment is, in fact, a very nasty piece of malware named Haxdoor. Text of email:

Subject: Order ID : 37679041

Dear Customer,

Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop. This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40

Order ID : 37679041

Payment by Credit card

Product : Quantity : Price

WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99

Shipping : 32.88

TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).  PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.  If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.

We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order! Thank you for shopping with us!

Donna's Security Flash blogged this and it was posted at CastleCops security forum.  I wouldn't be surprised if a lot of people fall for this.  As the poster at Castle Cops said:

So you're sitting there scratching your head thinking "What order?"  Boy oh boy… I sure as heck didn't oder no stinkin $2,449.99 Sony VAIO from Circuit City!

Really makes ya wanna open that zip file to see if you've been had, right?
 

The supposed PDF attachment is really an executable named 37679041.exe, which is detected by AV vendors by various names.  Kaspersky named it Backdoor.Win32.Haxdoor.lf.  Symantec detects it as Backdoor.Haxdoor.R and others are calling it a variant of Goldun. Whatever you call it, it's quite an evil piece of malware. Haxdoor typically uses rootkit technology to mask itself.  Haxdoor is known to steal passwords, give a remote attacker access to the machine, may display advertising and often makes changes to the registry that lower system security. Some variants also disable software firewalls and anti-virus apps.  McAfee has a report here.

September 20th, 2006

Spyware pushers cash in big on zero day exploit

Posted by Suzi Turner @ 9:24 pm

Categories: Spyware/adware news, Spyware/adware warnings

Tags:

I expect that most readers have already read about the latest zero day exploit, Microsoft Vector Graphics Rendering Library Buffer Overflow, discovered by Adam Thomas of the Sunbelt Software research team on Monday. I’m not going into detail on it — there is plenty of information about the exploit already, on ZDNet here, Secunia, US-Cert, SANS, and Microsoft Security Advisory (925568). George Ou has blogged that hardware enforced DEP stops the exploit from launching. A BleedingSnort signature has been created for the VML exploit.

SocketShield from Exploit Prevention Labs is said to block the exploit. SocketShield has a 30-day trial and the free Link Scanner on their website will check any URL for the exploit code. Sleazy porn sites are using this vulnerability to drop massive spyware on unsuspecting users.  Roger Thompson of Exploit Prevention Labs called it a "massive malware run" with "drive-by attacks hosing infected machines with browser tool bars and spyware programs with stealth rootkit capabilities."

SunbeltBLOG lists nearly 50 threats being installed though this exploit, including familiar names like Virtumonde, BookedSpace, webHancer, SurfSideKick, Qoologic (also known as Qoolaid), Zenotecnico, TagAsaurus, with some trojan downloaders and a backdoor thrown in the mix. Many of these use affiliate programs where the affiliate gets paid per install, so somewhere affiliates of these adware/spyware companies are making a killing off this zero day exploit, trashing computers with their crapware. I have not tested this exploit yet, but it sounds like kind of payload that would render the machine nearly useless. 

July 10th, 2006

Pushing Zango on MySpace

Posted by Suzi Turner @ 10:24 pm

Categories: Spyware/adware news, Spyware/adware warnings

Tags:

Chris Boyd asked the question yesterday, Teenagers used to push Zango on Myspace? It does indeed look like teenagers, and older MySpace users as well, are being used to push Zango and not making a dime for it.  But the Zango affiliates and Zango itself must be taking in lots of $$$. How is this happening?  There are dozens of websites, like this one, MYSPACE VIDEOS, (click at your own risk) offering free videos for MySpace users to put on their web pages. The catch is, when you click to watch a video, you get a prompt to download Zango. The html code is available right there on the page so MySpace users can copy and paste it to their own pages. Embedded in that code is a link to Zango and an ID, which looks like an ID for that particular video with an affiliate ID embedded in it.  Here's a portion of the code. I've broken the link for obvious reasons and removed a lot of characters from that ID.

src="http cds.zango.com/download.aspx?  Id=bf265f33e036180a63a5920ded2045b3406ae13a2=.wmv

Easy way to push Zango and make some extra $$$, yes?  That is, if you've no ethics or morals. I suspect the kids think it's ok — free stuff for their sites, but do they really know what they are doing?  Likely not.  Do you think they will read the EULA?  Not. Are many of them under 18, installing and unwittingly spreading Zango even thought the EULA says you have to be 18?  And the box saying "By clicking Play Now I am at least 18 and I agree to the terms of the License Agreement above" is pre-checked!  Screenshot here, from Chris's site. Once a user clicks Play Now, the download starts and they get Zango Search Assistant and Zango Toolbar. And the owner of the page where they got the html code for the video gets a payback.  There is something terribly wrong with that picture.

Oh, and Chris Boyd found two MySpace profiles (screenshot) named "Zango":

Both created on the same day and at the same time, one pushed a toolbar and programs designed to "protect kids from predators".

The other? Well, imagine the scene…you see this profile floating round in Myspace, decide to visit it and…

…a popup launches from the Myspace page, prompting you to accept a licence to play a videofile.

It looks like Jimmy Daniels doesn't think this is cool, either. See his write up Zango (180 Solutions) Abusing MySpace Users.  

June 29th, 2006

New malware poses as WGA validation and notification

Posted by Suzi Turner @ 5:41 pm

Categories: Spyware/adware warnings

Tags:

A new piece of very nasty malware has been recently discovered on spyware help forums, first here and again here. The file name is wgavn.exe and it creates a service named "Windows Genuine Advantage Validation Notification", as seen in this line in the HijackThis log.

O23 - Service: Windows Genuine Advantage Validation Notification (wgavn) - Unknown owner - C:\WINDOWS\system32\wgavn.exe

Thanks to security MVPs at the Aumha forum, I was able to get a sample today — this is one nasty little piece of malware.  I tested it on a virtual machine running XP Pro, totally unpatched.  On execution, wgavn.exe creates a folder, C:\Windows\etc\, that contains a file named services.exe. Wgavn.exe copies itself to the \System32\ folder as shown in the HijackThis line above.

On my virtual machine, it disabled the following: WinPatrol, an anti-spyware program, a third party firewall, VMware Tools, VMware User Process, and VPCUserServices by changing the values of the Run keys in HKEY_LOCAL_MACHINE. Another researcher reported it disabled the Windows firewall and System Restore.

Wgavn.exe immediately attempted to contact several different IP addresses.  The ISP is being notified in an attempt to investigate these sites and IPs. At this time, it’s unknown how the two users who posted the HijackThis logs got infected with this. The sample has been submitted to anti-malware vendors but as of earlier today was poorly detected. Kaspersky is now detecting it as Backdoor.Win32.IRCBot.st, and another AV at VirusTotal detected it as Backdoor.Win32.IRCBot.BV.

Update June 30: Infoworld now has this story on wgavn.exe and says Sohpos is calling it an AOL Instant Messaging worm and variant of the Cuebot family. Sophos named it W32.Cuebot-K.

Cuebot-K can disable other software, shut off the Windows firewall, download new malicious programs, perform basic DDOS (distributed denial of service) attacks, scan local files and spawn a command prompt, Sophos said.

Worms that spread through instant messaging programs often appear as messages or links sent from friends, which trick a user into executing the program. Cuebot-K propagates by sending itself as a file named "wgavn.exe" to more people in the user’s "Buddy List" but without a message, Cluley said.

Both victims posting for help in the forums had AIM, so I’m not surprised that’s  how it spread. The article says the worm immediately tries to contact two websites, but I observed it contacting three URLs and the firewall log showed  four IP addresses.

eepny.stjohnspark.net
ljrpq.haxx.biz
kroqc.haxx.biz
209.11.244.114
209.11.244.115
209.11.244.162
209.11.244.165

These belong to AS35908 VPLSNET, as seen here on a tracert from dnsstuff.com. VPLS Inc.’s website site can be seen here. The whois info for haxx.biz is very sketchy and stjohnspark.net is registered to Haxx Enterprises.  Interesting. 

June 27th, 2006

Engaged in marketing adware and anti-adware

Posted by Suzi Turner @ 9:25 pm

Categories: Spyware/adware warnings

Tags:

Here’s a lesson in Conflict of Interest 101. A new so-called adware removal program hit the net recently — literally hit the net as in being downloaded through exploits and bundled with other nasty-ware like DollarRevenue and Look2Me. This program is called AdwareFinder. Take a close look at the page and on the lower right side you’ll see "AdwareFinder is proud to be a member of the Network Advertising Initiative" next to the NAI logo. This new rogue anti-adware program was blogged at SunbeltBLOG after being discovered by one of the researchers in a large DollarRevenue infestation. The definitions "database" consists of a "spy" file with a list of file names and program names — that’s it.  Nothing more, nothing less.  You can see contents of the text file here.  Example:

ieupdates.exe
updaterie01.exe
fixieupdate.exe
DyFuCA
Internet Optimizer
STWSI
wsem210.dll

Based on that "database", I’d assume the scan engine does "dumb string scans".  Not much of an anti-adware/spyware program, eh?

Here’s where the conflict of interest lies – couple of days ago I got into a massive DollarRevenue infestation myself, all started by executing two old DollarRevenue files from my malware archive, and ended up with something like 43 adware/spyware/malware programs on my virtual machine.  Among those programs were two apps I hadn’t seen before from — you guessed it — from the same  company that makes AdwareFinder, EngageMARKETING. I had their EngageSideBar and their Contextual Toolbar installed with no notice or consent. Never mind that the Contextual Toolbar page also has the NAI logo.

Here’s what EngageMARKETING says about themselves.

engageMARKETING provides valuable software programs and comparison shopping tools free in exchange for occasionally displaying contextually relevant advertising based on real-time online behavior. Not to be confused with spyware, engageMARKETING protects user privacy at all times, never profiling users or tracking personally identifiable information.

EngageMARKETING’s products may not be spyware, but it was installed by spyware and with spyware. Along with the Engage apps, I managed to have DollarRevenue, Look2Me, Qoologic, TagAsaurus, RegiFast, SurfSideKick, ZenoTecnico, NewDotNet, (links to information at AV and anti-spyware sites) various trojan downloaders, password stealers — an ugly mess.

So, here we have a company selling an essentially useless anti-adware program and allowing it *and* their adware programs to be bundled with spyware downloaded through exploits, installing silently with no notice and consent. 

Who is behind this mess?  It’s hard to say. The engageMARKETING website shows:

Engage Marketing

Corporate Headquarters:

Jr. Quito 2379 - Jesus Maria - Lima – Peru

info@engagemarketing.com

The domain registration whois info doesn’t help as the domain is registered through Moniker Privacy Services.  Adwarefinder.com shows an address in San Francisco and the name Internet Revenue Services, Inc., which is found in the California Corporations database. 

One has to wonder what these people are thing and if the NAI is aware of what’s really going on with the company, or if the company is really a member of the NAI, in fact.  In looking at the list of members, I don’t see EngageMARKETING on the list. Hmm… I may have more on this later.

June 27  update:  I contacted NAI regarding the claims on the adwarefinder and contextual toolbar pages and received a reply that EngageMARKETING is not a member of NAI.  NAI also found a address and phone number, supposedly for Engage’s legal department, in Napperville, IL. but when they called the phone number, the person who answered claimed they never heard of the company or the web sites.  Not surprising.

May 22nd, 2006

IM browser hijack with music

Posted by Suzi Turner @ 9:30 pm

Categories: Spyware/adware warnings

Tags:

From FaceTime’s Greynets Blog — I’m not kidding — spread through instant messaging, a browser hijacker that plays music and it’s named Safety Browser. Oh, the irony.

This Safety Browser affects Yahoo Messenger and is installed by a worm dubbed yhoo32.explr, according to the FaceTime press release. This worm installs a new browser without notice and consent and changes the victim’s homepage. More from the press release:

"This is one of oddest and more insidious pieces of malware we have encountered in years," commented Tyler Wells, Senior Director of Research at FaceTime Security Labs. "This is the first instance of a complete web browser hijack without the user’s awareness. Similar ‘rogue’ browsers, such as ‘Yapbrowser’, have demonstrated the potential for serious damage by directing end-users to potentially illegal or illicit material. ‘Rogue’ browsers seem to be the hot new thing among hackers."

The write up at Greynets Blog has screenshots and humor. The Face Time researchers apparently had fun with this one, or maybe not.

…you see the above appear slap bang in the middle of your desktop. Worse still, music starts to blare out of your PC. Not just any old music - bad music. Bad looped music, with screeching guitars and awful drum n’ bass beats. This madness continues for some time, and for the victim there is another "surprise"…every single time they boot up their PC from that moment on, the music greets them as their desktop appears and loops for a random amount of time. Words cannot convey the awful feeling of nausea this induces…testing a hijacking application has never been so painful!

What will the spyware pushers come up with next?

April 21st, 2006

Spamming malware: Parite.B and IRC backdoor disable anti-spyware programs

Posted by Suzi Turner @ 8:31 pm

Categories: Spyware/adware warnings

Tags:

I got a spam this morning with a subject line of "yahoo send you postcard" from "postcard". Of course all the alarms went off in my head, but there was no attachment and I have a nice little freeware app called PocketKnife Peek that lets you preview an email in plain text, view the html source, the headers and attachments without opening the email. (Minor rant — why doesn’t Outlook 2003 have that feature?!)

The email was simple.  Note, I deactivated the link to the infected file.

Hello
You have just received a postcard from www.yahoo.com. If you’d like to see the rest of the message click here (tapshed.co.uk/~info/postcard.gif.exe) to receive your animated postcard!

===================

Thank you for using our  services !!!

Please take this opportunity to let your friends hear about us by sending them a postcard from our collection !

==================

I was sure that postcard.gif.exe was malware and I started VMware and downloaded the file from the link. The file looks innocent enough with this icon.

I ran the file with InCtrl5 to see exactly what it did.  It dropped a file svchost.exe in C:\WINDOWS\System\  — note not where the legitimate Windows file svchost.exe runs from, and it installed an IRC server in the same folder. I’ve seen lots of adware and spyware files and watched what they do, but this was my first time having an IRC server in my machine.  There was plenty of activity with many connections using TCP:6667, a known port for IRC and malware.  Here’s a portion of the IRC server config file:

n0=2peu.roSERVER:2peu.ro:6667GROUP:Undernet
n1=Lelystad.NL.EU.UnderNet.OrgSERVER:
Lelystad.NL.EU.UnderNet.Org:6667GROUP:Undernet
n2=Ede.NL.EU.UnderNet.OrgSERVER:
Ede.NL.EU.UnderNet.Org:6667GROUP:Undernet
n3=London.UK.Eu.UnderNet.orgSERVER:
London.UK.Eu.UnderNet.org:6667GROUP:Undernet

Apparently Undernet.org (link to whois) has been around for a long time and may be used for a lot of warez file swapping from what I’ve heard.

The installer and svchost.exe files were detected by scanners at Jotti’s online malware scan site as  Parite.B and all the IRC files were detected as Backdoor.IRC.Zapchast. You can read a description of Parite.B here (Panda) and Backdoor.IRC.Zapchast here (Sophos). Neither of these are new, but there appear to be some new variants making the rounds.

What’s bad about this scenario is that most users wouldn’t have any clue that they were infected if they don’t have an anti-virus.  Most of the connections completely bypassed the firewall running inside the vm. Using Task Manager to view the running processes might clue someone in if they noticed scvhost.exe running from an atypical location.

I started to run my anti-spyware scanners and got a surprise. SpywareDoctor didn’t want to open and gave an error message saying the program had been damaged and should be reinstalled. Spy Sweeper gave a similar error message and opened, but many of the options were grayed out, including the scan option. Ad-Aware and Spybot Search & Destroy both opened normally. I went back to Jotti and scanned the main executable for each app, including the two that opened normally, and they all came back infected with Parite or Parite.B!  I suppose if I’d had an anti-virus running inside the vm the same thing might have happened to it.

The other question is what would happen to the machine left infected over a period of time with a backdoor and IRC server running? It might become part of a bot net and spread malware, it might be used for spamming or in a DDoS attack. It would likely have more malware installed, possibly a rootkit and maybe some adware, too.  I saved a snapshot of the infected vm, so maybe I’ll find out.

The moral of this story? Don’t click on links in emails from unknown sources, or in even from known sources because the senders can be forged, unless you are sure it’s safe. I know people reading this blog already know that but apparently a lot of people don’t know or don’t care, otherwise the malware pushers wouldn’t continue sending these spams.

March 30th, 2006

Spyware in you cell phone -- what next?

Posted by Suzi Turner @ 3:57 pm

Categories: General, Spyware/adware warnings

Tags:

I just read CNET reporter Joris Evers’ article about new spy software that hides on cell phones. I think it’s outrageous, but I guess it shouldn’t be too surprising since there’s already spyware for your automobile. This spyware for cell phones is called FlexiSpy. FlexiSpy went on the market March 1 and is advertised as a tool to track kids and errant spouses. This software captures call logs, text messages, mobile Internet connections, and new features are being developed.  The captured data is sent to vendor Vervata’s servers and can be accessed on a website.

Oh, this soo ripe for abuse!  FlexiSpy sounds like the equivalent of a key logger on a computer. Anti-domestic violence groups are outraged, and rightfully so. Security company F-Secure has labeled the application as a Spy Trojan, Flexispy.A and have added detection for it to their mobile anti-virus. F-Secure says FlexiSpy is hidden from the Symbian process menu and is invisible to the phone user. The hidden interface can be accessed with a code known only by the person who installed FlexiSpy. Just like a key logger. 

The F-Secure blog and threat description have screenshots of the user interface. FlexiSpy records server time, direction, duration, phone number and contact name. It also records contents of SMS messages. Right now FlexiSpy is available only for cell phone using the Symbian operating system, but plans are in place to release versions for BlackBerrys and phones running Windows Mobile Pocket PC. A Pro version is in the works, too. The Pro version will allow the user to actually listen to conversations on the phone, log email messages and multimedia messages.

The company selling Flexi-Spy, Vervata, based in Bangkok, Thailand defends the application since it has to be knowingly installed by a human, does not self replicate or pretend to be something it’s not, and can be uninstalled.  That’s nice. This software has a huge potential for abuse because it can be used to monitor someone without their knowledge and consent.

One has to ask, is it ever morally and ethically acceptable to monitor someone’s communications without their knowledge and consent, whether with a key logger on their computer or with a spy program on their cell phone?

There are some interesting points in the Talkbacks on Evers’ article. Here the poster points out another concern: the potential for abuse of the information stored on the website. She mentions the security of the site — what if hackers got the information?  I’d want to see the site’s privacy policy and know what security measures they have in place.

I’d like to know what readers think about the question — is it ever acceptable to electronically monitor someone without their knowledge and consent? A Florida court said NO.  The court ruled a wife broke the state law against wiretapping by installing surveillance software Spector on her husband’s computer and recording his online activities. The wiretapping law says who anyone "intentionally intercepts" any "electronic communication" commits a criminal act. It seems to me that the use of FlexiSpy breaks that law, too.

March 24th, 2006

Malware pushers already using zero-day exploit

Posted by Suzi Turner @ 2:18 pm

Categories: Security and prevention, Spyware/adware warnings

Tags:

Yesterday the news hit about another zero-day exploit for Internet Explorer with code publicly available and today the malware pushers are already using the exploit. George Ou has a good post about the exploit including instructions on how to turn off active scripting for home users and for all computers in a domain.

The Secunia advisory here says:

The vulnerability is caused due to an error in the processing of the "createTextRange()" method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.

This vulnerability has been confirmed on a fully patched Windows XP SP 2 system running Internet Explorer 6 and affects IE 7 Beta 2 preview released in January.  Other versions may be affected. AFAIK Firefox, Mozilla, Opera and not affected. Microsoft advisory here.

SANS has raised InfoCON to yellow. Ed Skoudis wrote:

At the urging of Handler Extraordinaire Kyle Haugsness, I tested the sploit on a box with software-based DEP and DropMyRights… here are the results:

Software-based DEP protecting core Windows programs: sploit worked
Software-based DEP protecting all programs: sploit worked
DropMyRights, config’ed to allow IE to run (weakest form of DropMyRights protection): sploit worked
Active Scripting Disabled: sploit failed

So, go with the last one, if you are concerned.  By the way, you should be concerned.

Security and spyware researchers have already seen sites in the wild running this exploit. Some appear to be hacked sites using iframes. Network admins and ISPs are being notified. One such hacked site was downloading a keylogger.

For Windows users — even if you use Firefox or Opera, I recommend you disable active scripting because a lot of apps will cause IE to open. If you disable active scripting, you might need to put some sites in your Internet Explorer trusted sites zone for certain features to work.

Update 5:40 PM: Websense is reporting a rapid increase in sites using this exploit. At the time of the blog post, nearly unique 100 URLs  had been found attempting to run this exploit. There is also suspicion that web server expliots are being used to compromise sites intended to be used to run the IE exploit. Travel related websites and sites using phpBB are mentioned.

Network/sys admins, webhosting companies and webmasters – *please* secure your web servers!  I’ve read some shocking evidence of lack of knowledge regarding security of web servers, mostly Apache servers, on various webhosting and webmaster forums.  It’s truly frightening.

March 12th, 2006

Live in action: botnet, fake Windows sites and keylogger

Posted by Suzi Turner @ 7:57 pm

Categories: Spyware/adware warnings

Tags:

This has been occupying a lot of my attention since Friday. It started off with a message at my SpywareWarrior forum from Adam Piggott of Proactive Computing, about a spam email (screenshot) he received purporting to be from Microsoft. The email had a link to a supposed Windows update site, but, in fact, the link went to a site running the WMF exploit. On an unpatched Windows computer, the exploit hits immediately. Social engineering is also at work, urging users to click a link at the site to get Windows updates. Either way, unpatched, or patched and clicking the link, a user gets hit with a trojan downloader; in this case the trojan file name is wusetup.exe.

Note I’m using the present tense because, even though we got the first site shut down Friday evening, now another almost identical site is up and still live AFAIK.  Authorities and the ISP hosting the second site have been notified. The site is hosted in the US. I made a video (WMV) of the exploit at the first site, now shut down.

The trojan downloader pulls more malware that turns the infected machine into a proxy server and makes it part of a botnet hosted on Russian servers. The trojan also downloads a keylogger, winldra.exe, also known as W32/Dumaru and Srv.SSA-KeyLogger. This keylogger is writing information stolen from infected machines to a log on a remote server — the same situation as described here in SunbeltBLOG’s post last August when their researcher discovered the first of this new series of winldra variants.

For more details on this current exploit and botnet, see SunbeltBLOG’s write up, which includes screenshots of the fake Windows update site and live botnet on the Russian server. Note - the trojan downloader file wusetup.exe is currently detected by less than half the antivirus scanners at virustotal.com. Sunbelt’s screenshot here.

March 9th, 2006

New rogue anti-spyware and SpySheriff clone

Posted by Suzi Turner @ 9:26 pm

Categories: Spyware/adware warnings

Tags:

These rogue anti-spyware programs seem to multiply like rabbits. Just 2 days ago I wrote about Spy-Shield, an anti-spware app that installs adware from BestOffersNetwork Then yesterday SunbeltBLOG featured another new rogue anti-spyware app named BraveSentry. The Sunbelt researchers found a domain running exploits and force installing not just one rogue anti-spyware app but two.  Maybe pushers thought two rogues would be more convincing to frighten the user into buying one of them? The domain running the exploits is a known CoolWebSearch domain, Game4all(dot)biz (link to whois) which is hosted in Russia. SunbeltBlOG has screenshots of the hijacked desktops with BraveSentry and AlfaCleaner. The BraveSentry website is hosted at InterCage, formerly Atrivo, which I blogged about previously, and its neighbor on the same IP (69.50.166.195)  is anosurfer.com, another site for SpySheriff. (Links are to whois info, not to the sites.)

And… speaking of SpySheriff, which got number 2 place on the top 10 rogue anti-spyware of 2005, another SpySheriff clone emerged today - PestWiper, which also "happens" to be hosted at InterCage.

Wouldn’t you know it, there’s already a complaint on an anti-spyware forum about being hijacked by BraveSentry. I wouldn’t be surprised to see similar complaints about PestWiper soon. I believe the Antispyware Conspiracy that Mark Russinovich (of Sony DRM rootkit fame) wrote about here is very real. 

On a side note, I received an email today from a vendor whose anti-spyware program is listed on the Rogue/Suspect Anti-Spyware page. He was, of course, complaining about his product being listed, but one of the statements in is email really got my attention:

In our opinion, the Adware is one of the best ways to advertise antispyware product because users who got Adware would need a way to clean and protect their computers.

If I understand that correctly, he is saying that it’s not only ok, but good, to use adware to advertise antispyware products. Fascinating, isn’t it? And that’s not one of the problems noted with his app, either.  Not  yet, at least…

If anyone lands here from a search engine and has been hijacked by any of the above mentioned rogues, you can get help with removal at one of the anti-spyware sites listed on this page.

March 7th, 2006

Anti-spyware program installs adware from BestOffersNetwork

Posted by Suzi Turner @ 9:42 pm

Categories: General, Spyware/adware warnings

Tags:

Yesterday I found a Google AdWords ad (using the words Spy Sweeper) for a new anti-spyware app called Spy-Shield. It looked suspicious right away because the homepage shows a supposed scan in progress that appears to find spyware. The front page also says the application is free "with the help of integrated ads that are displayed periodically through Spy-Shield." Sure enough - the app will not install unless the user agrees to install software from the BestOffersNetwork, which is Direct-Revenue renamed.

I’ve blogged the details including screenshots and results of testing Spy-Shield here.

February 14th, 2006

SpyAxe replacement: SpyFalcon

Posted by Suzi Turner @ 7:05 pm

Categories: Spyware/adware warnings

Tags:

The name SpyAxe, top rogue anti-spsyware app of 2005, brings up anger and frustration for its many victims but now SpyFalcon has burst on the scene looking like a replacement for SpyAxe. SpyFalcon, just like SpyAxe, is being installed along with trojans through exploits. A screenshot can be seen here at SunbeltBLOG. Nick’s Computer Security blog has instructions for ridding your computer of SpyFalcon in case you landed here looking for help with it.

The domain whois shows:

Registrant:
    SunShine Ltd
    David Taylor        ()
    U-12 Gamma Commercial Complex # 47
    Rizal Highway cor. Manila Ave Subic Bay
    Olongapo City
    null,98101
    PH
    Tel. +206.9543154

Creation Date: 16-Jan-2006
Expiration Date: 16-Jan-2007

Domain servers in listed order:
    ns1.antispydns.biz
    ns2.antispydns.biz
    ns3.antispydns.biz

I wouldn’t be surprised if the information is false. The IP address 195.255.176.79 belongs to Netcathost in the Ukraine and hosts 2 other domains spyfalconupdate.com and updateyourwindows.com (links to whois) and the IP address is blacklisted by spamhaus.

February 2nd, 2006

Wimamp exploit used to push spyware

Posted by Suzi Turner @ 9:49 pm

Categories: Spyware/adware warnings

Tags:

That didn’t take long. The Winamp vulnerability in version 5.12 was announced at Secunia just a few days ago, details here. Note the Secunia advisory says "an exploit is publicly available". Nullsoft released Wimamp 5.13 the same day the exploit was announced, but the spyware pushers saw an opportunity to infect more machines and make more money. SunbeltBLOG posted a Winamp exploit found in the wild today. A malicious Winamp playlist file (.pls) was discovered that causes Winamp to open and subsequently download an ugly CoolWebSearch infection called HomeSearch Assistant, also dubbed Trojan/Startpage.HSA, along with ransomware anti-spyware SpySheriff. The Sunbelt post states the exploit takes place from 008k.com, IP 195.225.177.27 (links to go whois) at Netcathosting and recommends network admins and home users to block the site. Netcathosting is one of those ISP’s known to host spyware, see yesterday’s post. Sunbelt also posted a screenshot of the hijacked browser showing domain lookfor.cc (link to dnsstuff.com)  

The infected playlist file was detected by only one of the VirusTotal scanners as of 4:38 PM EST today. I wouldn’t be at all surprised to hear of more infected Winamp playlist files.  The spyware pushers will use any and all exploits to further their dirty business. Users can thwart the dirty business in this case by updating Winamp and blocking the domains mentioned. 

January 20th, 2006

New spyware trick - fake keylogger scare tactics by rogue anti-spyware

Posted by Suzi Turner @ 2:43 pm

Categories: Spyware/adware warnings

Tags:

I don’t know if these rogue anti-spyware/spyware pushers are getting desperate, or they think no one will notice, but super rogue Razespyware, which earned a place on the top 10 rogue anti-spyware of 2005, has a new very dirty and very deceptive trick to frighten users into paying for the software.  I read where someone called these apps ransomware, which is quite appropriate given their behavior.  SunbeltBLOG has posted screenshots and an explanation of this trick, along with some information about who might be behind it. Researcher Adam Thomas wrote:

For the past week, our Spyware Research team has been observing Raze Spyware being silently installed without user consent through various exploits. Raze Spyware is already a long time member of Eric Howes Rouge Anti-Spyware products list. Dubious installation methods are a common practice for these Rouge Anti-Spyware applications. To make matters worse, we have also found a fake keylogger being installed alongside of Raze Spyware! The program then alerts the user that they are infected with the "keylogger".

The fake keylogger is named keylogger32.exe. But it doesn’t stop there. The infected machine was noted to transmit data to the pills-catalog.net domain where a bot-net controller was revealed.  Note the screenshots of the warning about the fake keylogger and of the bot-net controller in action. 

Who might be behind this egregious trick?  Sunbelt posted the domain names and whois information.  Razespyware.net (link to whois) is registered to an outfit called Painter Co.

Domain Name: RAZESPYWARE.NET

Registrant:
    painter co
    painter 

    255 West 36 Street New York , NY 10018-7555
    New York
    null,23878
    US
    Tel. +212.3002000

The domain pills-catalog.net (link to whois) shows:

Domain Name: PILLS-CATALOG.NET

Registrant:
    Pant Co
    Pant         

    Colonnel By Hall A510
    New York
    null,11201
    US
    Tel. +91.2263475146

I have no idea if this registration info is accurate or not.  If anyone has knowledge of those addresses, I’d be interested.

So where are these websites hosted?  Razespyware.net is hosted at IP address 66.29.15.14, according to whois.sc, and located in Parsippany, New Jersey according to dssstuff.com. It apparently belongs to Net Access Corporation.  Pills-catalog.net is shown by whois.sc to be at IP address 69.50.167.162 and belongs to InterCage, Inc. in Concord, California. InterCage was mentioned as hosting the domains of other super rogue anti-spyware apps, too. Both domain names were regsistered through Estdomains.  Estdomains.com is registered to InterCage as well, and the website at IP 69.50.183.26 appears to be hosted by InterCage.

My advice to anyone who is infected with Razespyware, after getting your machine cleaned up, is to file reports with the Federal Trade Commission using their Comsumer Complaint form here, and to the Center for Democracy & Technology (CDT) here. Companies perpetrating these egregious spyware tricks need to be stopped.

January 18th, 2006

More super rogue anti-spyware

Posted by Suzi Turner @ 11:29 pm

Categories: Spyware/adware warnings

Tags:

Be on the lookout for another new supposed anti-spyware program that might be hijacking desktops any day now.  This one is called PestTrap and it’s a clone of SpySheriff. SpySheriff was one of the top 10 rogue anti-spyware apps of 2005, coming in at number 2.  You can see a screenshot of the PestTrap website at SunbeltBLOG and a screenshot of the app itself, along with the false positives in the scan results here. You’ll see that SpySheriff, SpyTrooper, SpyDemolisher, SpywareNo! and Spyware-Stop are almost identical.  If you scroll down the page a bit, you can see the other families of apps like SpyAxe and RazeSpyware that are deemed to be CoolWebSearch related by spyware researchers. 

PestTrap was found being advertised on a new fake security center web page, uptodatesecurity.com (link to whois info).  I don’t recommend going to that page in Internet Explorer. Even in Mozilla a fake warning pops up saying "your pc is infected with spyware blah.. blah…".  The domain is showing up in HijackThis logs already.  Example here.

Last week I mentioned ISPs hosting spyware, but where are these CWS related rogue apps being hosted?  Look at the whois info for pesttrap.com. Unlike SpyAxe which is hosted in the Ukraine, the PestTrap site is hosted at IP address 69.50.167.173 which belongs to an ISP in California, InterCage, Inc., formerly known as Atrivo.  Note the nameservers are mail.atrrivo.com and pavel.atrivo.com.

OrgName:    InterCage, Inc.
OrgID:      INTER-359
Address:    1955 Monument Blvd.
Address:    #236
City:       Concord
StateProv:  CA
PostalCode: 94520
Country:    US

The IP address is currently blacklisted by SORBS and Spews. Even the Intercage.com domain has been blacklisted for spam back to September 2005. The Spews record has some interesting info as well.

Not surprisingly, SpySheriff.com (link to whois) is hosted at InterCage, and we have SpyTrooper.com on the same IP address, 69.50.170.82. The other domain on the IP is Spy-Sheriff.com. This IP is also currently blacklisted.

InterCage, Inc. INTERCAGE-NETWORK-GROUP (NET-69-50-160-0-1)
                                  69.50.160.0 - 69.50.191.255
William Lu STANDARDSHELLS (NET-69-50-170-0-1)
                                  69.50.170.0 - 69.50.170.255

The Intercage.com (link to site) home page is white and blank except for "…" in the upper left corner.  Now, that seems odd to me. An ISP with a blank homepage? Google searches for Intercage.com and Intercage, Inc. bring up all kinds of interesting links.  A Google search for Atrivo produces even more  fascinating information like this and this.  More on this one later.

January 6th, 2006

AIM users targeted again by IM worm, rootkit and adware

Posted by Suzi Turner @ 3:50 pm

Categories: Spyware/adware news, Spyware/adware warnings

Tags:

Hot off the press — another IM worm is making the rounds, targeting AIM users and leaving a nasty payload of rootkits, trojans and adware including 180solutions and Zango.

Research experts at FaceTime Security Labs(TM), the threat research division of FaceTime Communications, identified and reported a new threat today affecting AOL Instant Messenger (AIM) applications. The new worm targets PC hosts infected with lockx.exe or palsp.exe and utilizes IRC enabled malware to connect the host to a server for further infection through a series of commands. One of the commands has the ability to control the AIM client on the infected host and send a message containing links to the AIM buddy list. When recipients click on the link they become infected with new variants of the IRC enabled malware along with an installation executable "creame.exe" which delivers multiple adware payloads including Zango and 180 solutions.

More at VitalSecurity. Paperghost, aka Chris Boyd, writes that the payload includes not only rootkits, but a rootkit detection application, Rootkit Revealer.  Boyd gives the following rundown:

IM hackers distribute rootkit.
IM hackers then control a global botnet where their infections can be tested and payloads are pushed.  Facetime traced these hackers to the Middle East.
The same IM hackers sent movies by way of IRC and their own version of BitTorrent, installing it without consent. Now the IM hackers are back with more, nastier malware, Rootkit Revealer and adware from 180solutions/Zango.

Users already infected with the files lockx.exe or palsp.exe are most at risk, but any user clicking on the wrong IM link can be infected. There’s an executable called creame.exe that delivers the adware including 180solutions and Zango. Facetime has a free online scan that detects and disable files such as lockx.exe. If you’re an AIM user and notice anything unusual, I’d say head for the free scan ASAP. The link for the free scan can be found here. Beware links in AIM, as the attacker can control the infected host machine and send IMs to anyone on the buddy list, meaning even though the link looks seems to be coming from a friend, don’t click!  

Now the question is… what excuse is 180solutions going to come up with now? At last notice, 180 was reporting:

a year of major changes for 180solutions, including technology upgrades and even more aggressive enforcement efforts, but the biggest change of 2005 was the complete overhaul of our distribution model.

It seems like that overhaul wasn’t so complete after all.

January 5th, 2006

New rogue is SpyAxe clone

Posted by Suzi Turner @ 10:01 pm

Categories: Spyware/adware warnings

Tags:

I just learned about new supposed anti-spyware program, an identical twin to SpyAxe. SpyAxe got number one on the 2005 top ten rogue anti-spyware list. This new app is called SpywareStrike and I wouldn’t be surprised to hear that it is downloaded with spyware just like its twin SpyAxe. the SpywareStrike website is identical to the SpyAxe site except for the name.  The domain registration information looks familiar, too.

Domain Name: SPYWARESTRIKE.COM

Registrant:
    Keramitsu  LLC
    David Alan Taylor       
    321th Melburn Street
    Seattle
    Washington,98107
    US
    Tel. +207.9545521

Like the SpyAxe.com registration information, this looks bogus. The domain is also registered through Estdomains, which I recently found out is an ICANN accredited registrar. (Shame on ICANN.)  The website shares the IP address with SpyAxe.com and is hosted by Netcathosting in the Ukraine.  Netcathosting got SANS most hated IP of the year.

A new fake security site is starting to show up on anti-spyware help forums, securitycaution.com (link goes to whois information, not the site). You can see a screenshot of the website here.  When I went to the page, it popped up a fake Internet Explorer warning saying I’m infected with spyware with a link to an "official Anti-Spyware website". The page says "Your private info is collected by W32.Sinnaka.A@mm", just like the other bogus security sites we’ve seen. The web page is advertising several anti-spyware programs, all on the Rogue/Suspect Anti-Spyware list. 

In all the WMF exploit excitement, I didn’t get a chance to blog a great write up by Mark Russinovich, (he’s the Sysinternals programmer that broke the Sony DRM rootkit story.)  Mark wrote about the Antispyware Conspiracy. Highly recommended reading. Excerpt:

The most innocuous of malware-like antimalware behaviors is to advertise with web site banners and popups that mislead average users into thinking that they have a malware problem. Most of the advertisements look like Windows error dialogs complete with Yes and No buttons, and although the word "advertisement" sometimes appears on the dialog background, the notice is usually small, faded and far from the area where users focus their attention. Even more unlike Windows dialogs, however, is the fact that clicking anywhere on the image, even the part that looks like a No button, results in the browser following the underlying link to the target page.

Mark provides screenshots and detailed descriptions of the deceptive practices.

In other news, Brian Krebs at SecurityFix wrote about the two rogue anti-spyware companies sued by the FTC last year. MAXTHEATER, INC. and Trustsoft settled with the FTC. The FTC release can be found here.

Unfortunately, I don’t think the FTC can take any action against the people behind SpyAxe and similar rogues that are hosted in places like the Ukraine and have domains registered through rogue registrars like Estdomains.