Sponsored by..

Monday 31 March 2008

BBC Argh


The BBC News website is a much-loved design institution. A very neat, conservative design it has remained pretty much unchanged since its inception. It would be fair to say that it is one of the most recognisable layouts in the business, along with Google and Amazon.

So, you mess with something like this at your peril.. and hats off to the BBC for trying to update the site without being too radical. It's a wider, less cluttered design (according the their blog entry).

Unfortunately, it no longer works on 800 pixel wide screens.. now although that resolution has almost died out on desktop PCs, there are a number of existing upcoming mobile devices that use it (e.g Nokia E90, Sony Ericsson Xperia) , and one of the great things about the BBC News site was that it would work well on almost anything.

To be honest, I can't remember anyone complaining about the 800 pixel wide "old" layout. And a lot of people will be uncomfortable with the change to a favourite web site, as the comments say.

If you have a bit of time on your hands, why not take a look at how the BBC News site has evolved over the past few years at the Wayback Machine.

Friday 28 March 2008

A 419 spam with a twist

419 scams often involve pandering to human greed. In this case, the email is clearly designed to make you think that you have lucked into $800,000 through mistaken identity. Of course, the internal logic doesn't bear close scrutiny.

What's interesting about this email is that it has a calendar invitation on the bottom - clicking on it confirms your email address and presumably is designed to give the message an authentic twist.

Of course, there isn't $800,000 sitting around for you and you can guarantee that "Eze Ike" will try and bilk you out of some money along the way.



Vous êtes invité ::
Dear Friend,
Par votre hôte:
Eze Ike

Message:
Dear Friend,

I didnot forgot your past effort and attemps to assist me, now I'm
happy to inform you that i have suceeded in getting those funds
transferred under the cooperation of a new partner from Japan.

Now Contact my secretary ask him for ($800.000.00)for your compensation
his,name is Mr,Mike Bello, and his E-mail:(ifeany_eze01@yahoo.co.uk)
1,Your Full Name___ 2,Delivery address___ 3,phone number____ 4,email
address___
Thanks and God Bless You.
REGARDS
Dr,Eze Ike.

Date:
vendredi, 28 mars 2008
Heure:
10 h 00 - 11 h 00 (GMT+00:00)

Viendrez-vous ?

Répondre à cette invitation

Thursday 27 March 2008

Lazy 419 spam

Is it me, or is the quality of scam spam going down these days? This fake lottery notification doesn't even try to look convincing.

Subject: Easter Notification(You have won 953,000:00gbp)
From: "UK THUNDERBALL LOTTERY" delroyclarke@nf.sympatico.ca
Date: Thu, March 27, 2008 11:50 am


You won 953,000:00Pounds in the Uk thunderball online Lottery held on
25th of
March 2008.
Contact Person.
MRS GAIL NEUVILLE
E-MAIL: ukthunderball_claimlottery4@yahoo.co.uk
contact her with your details:
1.Name.
2.Address.
3.Nationality.
4.Age.
5.Occupation.
6.Phone/Fax.
Regards
Mrs.Gail Neuville

I think I will give it a miss, thanks.

Incidentally, you can report spam like this to Yahoo through their online reporting tool. The user ID you are reporting on is everything before the @ sign on the Yahoo email address. It is worth stating that even through the spam doesn't come from the Yahoo network, it does use a drop email address at Yahoo to process replies.

Tuesday 25 March 2008

Is 97885 really Vodafone?

The UK's premium rate SMS (text messaging) business is worth over £1 billion per year. It's not surprising then that scammers are in on the act, looking for a slice of that revenue.

These premium rate numbers are use "SMS shortcodes" - but these shortcodes can also be used for non-premium rate (or free) numbers. So how can you tell which is which?

Take this one for example - a text message sent to Vodafone customers that says the following:

From 97885
From Vodafone: Service Enquiry. We are always looking to improve our service. Please help us by answering 2 questions. Reply Yes to start, all replies are free.

On the surface, it all looks pretty legitimate. But wait.. isn't this the kind of approach that scammers use? There have been several cases where spammers can work out your mobile phone network, and who can tell if 97885 is a premium rate number or not?

Well, one organisation that should know is the stupidly named PhonepayPlus body (formerly ICTIS) that is meant to keep track of these premium rate texts. They have a service called SMSus which can look up a premium rate SMS number by text (why they can't do this on the web is a mystery).

So, does sending the 97885 number for SMSus help? No.


From 76787
From SMSus: No info held about this number. Have a concern? Call 0800 500 212 open 8-6, Mon-Fri. Calls free from landline, mobile network charges apply.?
So, pretty useless. Eventually though, a response to an online support call to Vodafone indicates that 97885 is Vodafone, and it is free.

But surely the problem here is that the system is so fundamentally broken that no-one can tell a real messager from a scam? Perhaps it is time that whoever is actually responsible for regulating this mess comes up with an easy way to identify the true owners of SMS shortcodes and can say how much they may cost.

Apple Safari - a driveby download or what?

Millions of people are currently wondering what a "Safari" icon is doing on their Windows desktop. Is it something they installed? Is it adware? Or has Apple turned to the dark side?

Well, I'm afraid that Apple have turned to the dark side. If it wasn't annoying enough that iTunes keeps appearing on your desktop if you just want QuickTime, Apple's latest ploy is to push their Safari web browser out as an "update" to your existing software.. even if you have never installed Safari before.

A legitimate upgrade? Or deceptive advertising? Read more about the drive-by install here, and then decide if Apple software has any place on your Windows desktop machine.

Thursday 20 March 2008

"Gold is Risky - Green is a solid investment" - eFoodSafety.com (EFSF.OB) Spam


The Boulder Pledge is an important principle when it comes to fighting spam - basically, it is a commitment to never buy a product advertised in spam. Some people take it one step further, and say that they will never do any kind of business at all with a company that spams.

It's particularly pathetic when a firm resorts to spam to try to drum up investors. And yet, in the case of eFoodSafety.com (EFSF.OB) - a stock that has lost two thirds of its value in the past 12 months - that appears to be exactly what it happening.

A mystery spam entitled "Gold is Risky - Green is a solid investment" has been circulating over the past couple of days, both by email and also on several blogs. The link in the message points to a sign-up page at http://pws.prserv.net/RevNew/EFSF_LLP01.html with the following blurb:

To the Growth-Oriented Investor...

This could be one of the best buys you make during these recessionary times. And you can be certain this recession will reek havoc on the unprepared.
Yes!
You can achieve profits in today's market!

The coming months will be a nightmare for investors seeking significant profits, except for those who successfully position themselves in key sectors like biotech.
Be among the first to learn about this new trend opportunity.
Download our Company Fact Sheet NOW!

The growth of these sector markets will be so dramatic that it can be confidently forecasted that this as an investing “mega-trend” worth billions in new market capitalization for companies with the right products at the right time.

Download the Company Fact Sheet of one of these innovative biotech companies NOW!

The email itself is just a picture of an attractive and presumably partially naked woman, the subject and sender are:

Subject: Gold is Risky - Green is a solid investment
From: "Investing Ideas" Ignite@InvestingIdeas.prserv.net
Date: Thu, March 20, 2008 2:58 am


Some detective work is required to find out where it comes from. The address on the image is 7702 E Doubletree Ranch Road, Suite 300 Scottsdale, AZ 85258. Some research shows that this is connected with eFoodSafety.com, and indeed the three products pictured are eFoodSafety products: Cinnergen, Immune Boost Bar, Talsyn Scar Cream (shown here).

So, given the address matches eFoodSafety.com, and the only three products shown in the spam and on the landing page are eFoodSafety.com's products, then it is beyond a reasonable doubt that this is an attempt to attract investors to the EFSF.OB stock.

There's no indication to say that eFoodSafety.com is anything other than a legitimate company, and it is not even clear if they send this spam out themselves or contracted a third party to do it (technical note: the spam originates from 69.60.98.141). It does not appear to be a pump-and-dump spam. We do not know if Redwood Consultants, LLC (who are listed as their IR firm) knows about this either.

So - back to the Boulder Pledge. If you feel that you've received this message and that it was unsolicited, then you certainly shouldn't invest in EFSF.OB. As we have said before, a mismanaged email campaign can seriously damage the reputation of a firm. Perhaps eFoodSafety.com would like to find the people responsible and terminate their relationship with them before more harm comes their way.

Thursday 13 March 2008

Very authentic looking Hallmark ecard trojan

A very authentic (but fake) trojan was send out overnight purporting to be from Hallmark.com


A Friend has sent you a Hallmark E-Card.

If you recognize this name, click the link to see your E-Card.
http://www.hallmark.com/ECardWeb/ECV.jsp?a=[snip]


If this name is not familiar to you and you're concerned about online security, please use the following steps:

1. Visit http://www.hallmark.com/getecard
2. Enter your e-mail address in the Original Recipient.s E-Mail Address box.
3. Enter EG0694262772475 in the Confirmation Number box.
4. Click Display Greeting.

Want to send an E-Card too ? Visit www.hallmark.com/ecards



To view Hallmark’s privacy policy or for questions, visit www.hallmark.com, and click the links at the bottom of the page.


The displayed links are all safe, however the FIRST link actually points to hxxp:||pop.ayudaenaccion.org.sv|card.exe



VirusTotal detection is not bad.

Files loaded are as follows:
%systemroot%\system32\nicks.txt
%systemroot%\system32\remote.ini
%systemroot%\system32\script.ini
%systemroot%\system32\servers.ini
%systemroot%\system32\sup.bat
%systemroot%\system32\sup.reg
%systemroot%\system32\users.ini
%systemroot%\system32\aliases.ini
%systemroot%\system32\control.ini
%systemroot%\system32\explorer.exe
%systemroot%\system32\mirc.ico
%systemroot%\system32\mirc.ini


Payload is Zapchast, basically it tries to join the machine to an IRC controlled botnet.

Added:
The remote.ini it drops onto your machine has some interesting host names you might want to block and/or investigate:

[users]
n0=100:*!*@lamerzkiller.users.undernet.org
n1=100:*!*@209.43.75.13
n2=100:*!*@estranho-colo.iquest.net
n3=100:*!*@OMGyouSUCK.users.undernet.org
n4=100:*!*@CoReCt.users.undernet.org
n5=100:*!*@hxr.users.undernet.org
n6=100:*!*@BebiDeea.users.undernet.org
n7=100:*!*@asdz.users.undernet.org
n8=100:*!*@ZmAu.users.undernet.org
n9=100:*!*@ReKt.users.undernet.org
n10=100:*!*@BebeDulce.users.undernet.org
n11=100:*!*@ReCt.users.undernet.org
n12=100:*!*@hacler.ro
[variables]
n0=%HAck1 #GangstaRap | #:">
n1=%console
n2=%utime 1205420752
n3=/away :sã îmi suge-ti cuca zdrentzelor !
n4=%ochan #GangstaRap | #:">

trendmicro.com compromised - sort of.

McAfee has flagged up another mass defacement on their blog here, various sites have been injected with a reference to hxxp:||www.2117966.net|fuckjp.js (I assume that you can undo the trivial obfuscation if you really, really want to look).

A Google search for 2117966 fuckjp.js shows over 9000 hits. Obviously you won't want to visit any of these infected sites, so take care.

However, one of the sites showing up is trendmicro.com (see screenshot). At the time of writing, the Trend Micro site has been cleaned up, and it looks as though the infection wouldn't have worked on that particular site. Nonetheless, it is always worrying when you see a security vendor site compromised in this way. This isn't the first time this has happened to this type of site - CA.com was infected back in January.




The Google cache gives away the infection (use WGET, SamSpade or a non-Windows machine to examine the cache, never a full blown browser on a Windows system).

This is the current (clean) version of www.trendmicro.com/vinfo/grayware
/ve_graywareDetails.asp?GNAME=TSPY_LINEAGE&VSect=St




The infected version (from the cache) shows the altered code:



A close look at the code shows that the injection has been borked somewhat and wouldn't actually work. However, there were potentially hundreds of infected pages, some of which may have been more successful in injecting malware.

The date of the Google cache is or or about 4th March, so a week ago.

2117966.net is on 125.46.105.224 in China, at the time of writing the site is down, however the Google cache comes up with something funny for the front page:



Hacker humour?

Anyway, I have no particular axe to grind against Trend Micro, they have a decent set of products and are one of the more useful companies in the security arena. Again, it just goes to show that even trusted sites can be compromised.

Monday 10 March 2008

Truckerjobsearch.com - spam, scam or stupidity?

I'm not interested in trucks, there is no reason for anyone to send me an email about trucking. And usually, when I see email about "transportation" jobs, then it tends to be some sort of money mule scam.

So a spam email advertising truckerjobsearch.com rang alarm bells - it certainly seemed to tick all the boxes for a scam operation. But is it a scam?

Trucking Companies & Trucking Recruiters
Need to Hire More Class A Truck Drivers?
Let Trucker Distribution Inc Save your Recruiters Time & Money.

LIMITED TIME OFFER
ONLY $400.00 per month

FREE TOP BANNER ON ALL FOUR WEBSITES

NOW for ONLY $400.00 per month you can:

Receive on Average 30-50 New Truck Driver Applications Daily
(Depending on your company criteria)
Get a Top Banner on Four Premium Websites

Get a Side Profile Banner on Four Premium Websites
Hire More CDL Truck Drivers for Less
Cut Your Recruiting Budget in Half

NewTruckDrivingJobs.com
MonsterTruckDriverJobs.com
TruckerGeek.com
TruckerJobSearch.com
We are so confident in our service, that we will give your company a
FREE 24 Hour Trial via our E-MAIL system.
(Applications over the web)

Combination Rates

"All 4 Websites"
Daily Applications via Email
Side Profile Banners
Only $500.00 per month

"All 4 Websites"
Daily Applications via Email
Side Profile Banners
Data Base Access
Only $600.00 per month

"All 4 WebSites"
Daily Applications via Email
Side Profile Banners
Database Access
Featured Top Banner
Only $700.00 per month

"All 4 WebSites"
Daily Applications via Email
Side Profile Banners
Database Access
Featured Top Banner + Bottom Banners
Plus Brochure Distribution
Only $800.00 per month
---------------------------------------------------------
Individual Services:

"Brochure Distribution"
Only $450.00 per month
(150 Truck Stops )

"Top Banner"
Only $250.00 per month
(Website of Choice)

"Bottom Banner"
Only $200.00 per month
(Website of Choice)

Let Trucker Distribution build a custom package for your company TODAY!


For a FREE Trial Click Here or Call:1-888-675-5551

Originating IP is 199.239.248.221 which identifies itself as truckerout.com, the spamvertised site is hosted on 161.58.218.47. Both servers are hosted by NTT America Inc.

An investigation into the domain names and registration details shows that the sites appear to be legitimate, the sending IP address and the rDNS matches the advertised sites. There is no indication that these sites are not exactly what they say they are. So what gives?

The most common explanation for seeing spam of this type is that the operators have been conned into buying a CD that promises millions of email addresses for a very low price. Very often, these are simply scraped from web sites, or can even be just completely made up.

In all likelihood, the person marketing for this company has bought a bad mailing list in good faith. It doesn't mean that they are not a spammer (the email is certainly not CAN SPAM compliant), but it goes to demonstrate just how easy it is to damage your reputation by mismanaging an email campaign. Buying in mailing lists is best avoided, and even reputably list brokers can sell lists that have been contaminated with bad data. The only real way to be certain is to collect your own lists, if you have to buy them in then you need to research the company you are dealing with to ensure that they really exist and are wholly above board.

Thursday 6 March 2008

StampOffers.com - Spam or Joe Job?



There's a whole bunch of spam doing the rounds as follows:

Subject: Sell for FREE Forever !!!!!!!!!!!!!!
From: stampoffers@yahoo.com
Date: Thu, March 6, 2008 3:21 pm

The idea for StampOffers.com developed in the summer of 2002.
It all started with the creation of a chat board outside of eBay that would allow fellow philatelist the ability to talk about anything without being criticized for not maintaining a strictly philatelic conversation. Those who have made a non-philatelic post to the eBay stamp chat board know what it is like. There was a discovery on this new chat board that collectors would like to buy, sell, and trade among those who visited the chat and a few of the frequent users asked about someone starting an auction site just for stamp collectors. In January of 2003, StampOffers.com was launched!

There was much back and forth about whether StampOffers.com would be able to draw enough users and continue a steady growth and it was decided that the only way to do this was to operate with one philosophy – provide a viable alternative on the world wide web in which collectors from around the world could buy, sell, and trade stamps in an effort to further the hobby. Oh yeah…..and do it for FREE!!

To this day, StampOffers.com provides a site that allows sellers to enter a basic listing with NO INSERTION FEE and NO FINAL VALUE FEE. So how does StampOffers.com continue to operate without collecting fees? Well, let’s just say it is a combination of fellow collectors who are very appreciative of StampOffers.com’s existence combined with StampOffers.com’s desire to contribute to the hobby of philately!

Therefore, go ahead and use the site as much as you wish! The only real favor that is asked is that you pass the word about StampOffers.com. Tell your customers, your fellow collectors, your stamp club friends, your local stamp dealer, and anyone else whom you believe would be as appreciative of the site as those who are using it today.

Thank you,

StampOffers.com - The World Is Finding Us!

Join Now

James Munch

You are receiving this mailing because you agreed to be a part of our opt in mailing list.
As you would expect, no such "opt in" authorisation has been given.

There are a couple of things that are odd about the spam - first of all it seems quite unlikely that a philately site would send out this type of email, the mail is sent out repeatedly to the same address (in an apparent attempt to annoy the recipient), and it has been aimed at a spamcop.net account which perhaps indicates that "reverse listwashing" is taking place to ensure that the mail does get reported as spam.

These are all classic indications of a Joe Job - a fake spam message sent by a third party in order to cause trouble, presumably in an attempt to shut StampOffers.com down. Joe Jobs can be hard to spot, but this certainly seems to tick all the boxes.

As of 6th March 2008, the emails are being sent from a server at 74.86.158.8 through a PHP script which fingers 64.74.124.39 as the possible sending IP. This latter email address is interesting because it belongs to an Autosurf scheme called autosurfunion.com - interestingly the same server has been used for this other apparent stamp related Job Job, presumably the autosurf server is being used as a proxy.

The line in the header to look for is:
X-PHP-Script: 74.86.158.8/~ez123/conf.php for 64.74.124.39

64.74.124.39 is operated by Globalcon.net (contact email appears to be reyner -at- globalcon.net), so try sending any abuse reports their way. Also the 74.86.158.8 server with the insecure redirector should be reported to abuse -at- greenolivetree.net or perhaps via their web form.

Incidentally, this is what StampOffers.com has to say on the subject:

24 February 2008 - SPAM EMAILS

This is a special announcement about a rash of SPAM emails going out.

First, let me apologize for this occurring. StampOffers.com does NOT send out SPAM emails!! The only emails that are sent are to those who are members of StampOffers.com.

Recently, there was an individual who gained access to the site as a bidder and placed a number of fake/fradulent bids. This user created 3 different ID's and attempted to wreak havoc with each one. It appears we have finally been able to block this person from accessing the site and thus has turned to another form of cowardly entertainment.

These emails ARE NOT coming from StampOffers.com, our host, nor any server that our host runs. Our host is working with me to file the proper complaints as seen below:

I am trying everything I can to stop this and apologize to everyone. I would like to ask your assistance. When receiving these emails, contact the ISP you find in the header and point them to this board.

I am a private individual who has been running this site for 5 years. I have no interest in making money (I provide the site for FREE for everyone to use) and definitely have no desire to send out SPAM emails.

Please, if you have any questions, feel free to use the contact button below and let me know.

Thank you for your patience and understanding.

James C. Munch
I tend to concur with StampOffers.com - there are lots of signs to indicate that this is a Joe Job attack, so if you receive on, please analyse the headers carefully and report to the correct service provider.

Monday 3 March 2008

RavMon.exe virus on new Toshiba Satellite laptop

A few days ago I bought a very inexpensive Toshiba Satellite L40-18Z laptop from Comet in the UK. It's a basic laptop running Windows Vista, and it is certainly good enough for web browsing and wordprocessing.

But this particular laptop came with something extra. Despite the security seals being intact, and the OS having never been activated, the laptop came with a file called RavMon.exe on the C: and E: partitions.

RavMon.exe is an insidious virus that spreads on USB keys and drives, so it seems likely that this laptop was infected during the manufacturing process, despite having Symantec Anti-virus installed.

Of course, the first thing I did was remove Symantec and install ZoneAlarm, and ZA's Kaspersky anti-virus engine found RavMon.exe pretty much straight away. Thinking it was a false positive, I sent it to VirusTotal and the results speak for themselves.

File RavMon.exe received on 03.03.2008 20:38:32 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32008.3.4.02008.03.03Win-Trojan/Xema.variant
AntiVir7.6.0.732008.03.03TR/Agent.Abt.33
Authentium4.93.82008.03.02W32/Trojan.NAT
Avast4.7.1098.02008.03.02Win32:Agent-EDN
AVG7.5.0.5162008.03.03Generic3.NKU
BitDefender7.22008.03.03Trojan.Downloader.Chacent.A
CAT-QuickHeal9.502008.03.03Trojan.Agent.abt
ClamAV0.92.12008.03.03Trojan.Agent-3327
DrWeb4.44.0.091702008.03.03Win32.HLLW.Autoruner.198
eSafe7.0.15.02008.02.28Suspicious File
eTrust-Vet31.3.55822008.03.03Win32/Compfault.C
Ewido4.02008.03.03Trojan.Agent.abt
FileAdvisor12008.03.03-
Fortinet3.14.0.02008.03.03-
F-Prot4.4.2.542008.03.02W32/Trojan.NAT
F-Secure6.70.13260.02008.03.03W32/Agent.CUTV
IkarusT3.1.1.202008.03.03Trojan.Win32.Agent.abt
Kaspersky7.0.0.1252008.03.03Trojan.Win32.Agent.abt
McAfee52432008.03.03New Malware.eb
Microsoft1.33012008.03.03Worm:Win32/RJump.F
NOD32v229182008.03.03Win32/AutoRun.FQ
Norman5.80.022008.03.03W32/Agent.CUTV
Panda9.0.0.42008.03.03Generic Malware
Prevx1V22008.03.03Generic.Malware
Rising20.34.02.002008.03.03Trojan.DL.MnLess.n
Sophos4.27.02008.03.03Troj/QQRob-ADL
Sunbelt3.0.906.02008.02.28-
Symantec102008.03.03W32.Nomvar
TheHacker6.2.92.2312008.03.02-
VBA323.12.6.22008.02.27Trojan.Win32.Agent.abt
VirusBuster4.3.26:92008.03.03Packed/nPack
Webwasher-Gateway6.6.22008.03.03Trojan.Agent.Abt.33

Additional information
File size: 48640 bytes
MD5: 5557dd0fd5565f12a71c92e6aad7088f
SHA1: 1dd1be78715ff68354967adadc8b6990706caafa
PEiD: -
packers: NPack
Prevx info:

Luckily, the machine wasn't actually infected, but the .exe file was sitting there waiting to be clicked. Symantec would have detected this if it had updated in time, and as it is most AV products will detect the virus.

It just goes to show that you can't necessarily trust a PC straight out of the box.