Sponsored by..

Friday 27 November 2009

"Please design a logo for me. With pie charts. For free."

Classic.. but wait, there's more to this story too! Language possibly NSFW.


This is the guy who tried to pay a bill with a drawing of a spider.

Mystery Google Toothbrush Mystery

Mystery Google is old news for many.. basically you get the search results that the previous person had typed in, and the possibility of being redirected to a malware site seeded by the previous person is a legitimate concern.



Just out of curiosity, I was poking around at it and got the folllowing message:
mission: write a limerick about toothbrushes and send it to randombystander -at- yahoo.com
Of course, there are no matches for "mission: write a limerick about toothbrushes and send it to randombystander -at- yahoo.com".. except there are now I blogged about it.

Now, only a complete nutjob would actually follow these instructions. So here's my effort:
There was an old battered toothbrush
It was ancient and didn't get used much
You'd be willing to bet
That because of neglect
The owner's teeth surely are now mush
Well.. it sort of rhymes. Let's see if that mailbox actually exists.. it does! :)

Friday 20 November 2009

"please update your blah@blah.blab mailbox" spam

Another version of the Zbot trojan coming in via email, much like this one.

From: operator@blah.blah Sent: 20 November 2009 15:21
To: Blah

Subject: please update your blah@blah.blah mailbox


Dear owner of the blah@blah.blah mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:

http://accounts.blah.blah.verzzi.org.uk/webmail/settings/noflash.php?mode=standart&id=[snip]&email=blah@blah.blah

So far verzzi.co.uk and verzzi.org.uk seem to be domains that are used for this, there are probably many others.

Target page is a fake Flash download:

Target file is flashinstaller.exe with patchy or generic detection at best, according to VirusTotal.

ThreatExpert report is here which could be useful if you are trying to disinfect a machine.

When infected, the machine calls home to 193.104.27.42 in the Ukraine, allegedly belonging to "Vladimir Vasulyovich Kamushnoy" but that could be fake.

Fake WHOIS details for verzzi.co.uk and verzzi.org.uk:

Domain name:
verzzi.co.uk

Registrant:
Suzanne Mendez

Registrant type:
Non-UK Individual

Registrant's address:
Taylor Street Apt. 22
Wilrijk
2771
Belgium

Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:
Registered on: 18-Nov-2009
Renewal date: 18-Nov-2011
Last updated: 19-Nov-2009

Registration status:
Registration request being processed.

Name servers:
ns1.elkinsrealty.net
ns1.winderz.net
The Verzzi domains are hosted on a fast flux botnet, so the good news is that it won't be very reliable if some muppet DOES visit the site.

elkinsrealty.net is one nameserver domain, with obviously fake WHOIS details

Domain Name : elkinsrealty.net
PunnyCode : elkinsrealty.net
Creation Date : 2009-07-02 19:50:00
Updated Date : 2009-11-20 01:11:11
Expiration Date : 2010-07-02 19:49:56


Registrant:
Organization : Elkins Realty
Name : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101

Administrative Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com

Technical Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com

Billing Contact:
Name : Elkins Realty
Organization : O Berg
Address : 2150 1st Ave
City : San Diego
Province/State : beijing
Country :
Postal Code : 92101
Phone Number : 86--6195728001
Fax : 86--6195728002
Email : OBerg@gmail.com
And for Winderz.net:

Registrant:
R Opitz, Brian
341 Church Road
West Sunbury, PA 16061
US

Domain Name: WINDERZ.NET

Administrative Contact, Technical Contact:
R Opitz, Brian straus2009@live.com
341 Church Road
West Sunbury, PA 16061
US
7246372446


Record expires on 17-Nov-2010.
Record created on 17-Nov-2009.
Database last updated on 20-Nov-2009 10:46:04 EST.

Domain servers in listed order:

NS1.WINDERZ.NET 198.177.253.152
NS2.WINDERZ.NET 210.217.45.138
ns1.winderz.net and ns1.elkinsrealty.net are on 198.177.253.152 (Allerion Inc, Altlanta)
ns2.elkinsrealty.net is on 210.217.15.41 (Korea Telecom)
ns2.winderz.net is on 210.217.45.138 (Korea Telecom)

In this case the email "came" from operator@victimdomain - filtering your own domain at the gateway (or the "operator" address) could be useful.

Update: full list so far..
dirddrf.be
dlsports.be
ftpddrs.be
modertps.be
verzzi.co.uk
verzzi.org.uk
verzzq.co.uk
verzzq.me.uk
verzzq.org.uk
verzzg.co.uk
verzzg.me.uk
verzzg.org.uk
verzzm.co.uk
verzzm.me.uk
verzzm.org.uk
verzzn.co.uk
verzzn.me.uk
verzzn.org.uk


Thursday 19 November 2009

Warning: Affilnet.net

Just as a follow-up to the warmfuzzylove.com scam, the same server (98.126.22.178) now hosts Affilnet.net which may be trying to pass itself off as Affili.net which is a legitimate marketing agency, although at the moment the site appear to be blank.

The domain was previously registered to Warner Brothers (of all people!) but was reregistered to an anonymous registrant on 13th November.

Given that the pattern of registration and server being used are consistent with an existing scam, then any approach from Affilnet.net should be regarded as being suspicious unless proven otherwise.

Avira detects TR/Crypt.XPACK.Gen in MW2

I don't play Modern Warfare 2 - but some reports indicate that it has a virus in it.

What seems to be happening is that Avira is coming up with a generic detection of TR/Crypt.XPACK.Gen on a temporary file (perhaps ~B8.tmp) in C:\Documents and Settings\%USERNAME%\Local Settings\Temp.

However, "TR/Crypt.XPACK.Gen" is a generic detection - Avira is scanning the file and determining that it might be suspicious because it has been compressed with a commercial packer (a bit like a ZIP file). It is almost definitely a false positive that will be fixed quite soon.

If you like, you can head to the Avira Support Forums although where there is a short thread about it.

Wednesday 18 November 2009

T-Mobile & LBM: Just a coincidence?

In what appears to be a systematic plundering of customer records, T-Mobile staff have sold hundreds of thousands (or perhaps millions) of customer details to rival operators. Given that a lead for an expiring mobile phone contract seems to sell for around 50p to £2 a pop, this is possibly a significant slice of cash.

One question is: who sold the data. But a more pertinent one is: who bought the data?

It is probably just a sheer coincidence that I have previously documented unexplained cold calling for T-Mobile customers from a company called LBM Direct Marketing in the UK.

This current round of cold calling is on behalf of O2. LBM appears to have subscriber details - when they finally do talk to you rather than putting the phone down, they greet you by name. [..] The caller denied that they worked for LBM, and claimed to be working for O2 [..]. Our attempts to talk to a supervisor at LBM resulted in the caller putting the phone down. In this case, they do seem to know the name of the subscriber ([..] the phone had previously been with Vodafone and then transferred to T-Mobile)
This is probably not an isolated incident - expiring mobile phone contract leads are valuable and are regularly traded, and we're not just talking about T-Mobile here.. it seems to be very widespread, and T-Mobile deserve some kudos for tackling the issue.

Just in case you missed all the furore, T-Mobile have a news article about it:

Sunday 15 November 2009

Who is My-Data-Source.com?

My spidey sense started to tingle when I got this spam:


Subject: Your friend Workathomesystem[6194] would like to tell you about the Site
From: HR6194@workathomesystem.org
Date: Sun, November 15, 2009 4:09 am

Hello, my name is Derek Lindsay, and I am the Director of My-Data-Source.com. I
would personally like to invite you to become part of our team doing work-at-home data entry. We have guided thousands of team members to success using our new type of data-entry job called Global Data Entry. Some members are currently making $300 - $2000 and more per day, using our program and guidance. We have been dealing with online data entry for over 7 years. Do you have a few minutes? I will explain more.The Legitimacy of Our Company and the Programs We Offer If you are hearing Data-Entry Jobs before then I would like to make something very clear first. We are NOT a get-rich-quick company. If you are visiting our Web site looking for this type of opportunity then I am sorry to inform you that the programs we offer are not get-rich-quick schemes. We are a legitimate company, offering legitimate work-from-home data-entry job opportunities that have proven success and that we stand behind 100% with our satisfaction guarantee. If you were to ask us the biggest difference between My-Data-Source.com and all of the other work-from-home programs on the Internet, the answer would be this - With My-Data-Source.com, we give you training courses before you could do the the actual job to perform and get paid as we will explain on this page with our newest sources of Data Processing Jobs that pays. We will also provide you other programs that you will find when you became a member and that all you are getting is a list of links to jobs that you will need to apply to. WE ARE PROVIDING TRAINING COURSE AND THE ACTUAL DATA PROCESSING JOBS WITH OUR My-DATA-SOURCE.com TRAINING CENTER AND DATA PROCESSING JOBS THAT PAYS! Join our team, get started with complete instructions and guidance on our program.
Click this link: (snip)
The spam redirects through an affiliate link of mikepsandersmyd.click2sell.eu after first taking a couple of hops through TinyURL to avoid reporting. Originating IP is 200.46.204.144 in Panama.

My-Data-Source.com is one of those work-from-home programs that you have to pay to join. Is it a scam though? A good place to start is by looking for general advice on this sort of scheme from reputable sources, for example the BBB, National Consumer League, ScamBusters, and Consumer Direct.

One important thing is to know who you are dealing with - and My-Data-Source.com doesn't mention any real contact details anywhere on their website. The domain was registered to an anonymous registrant on 1st September 2009, so it has only been around for a few months. So, no clue there.. so it is impossible to know who you are actually dealing with.

Another thing to look at are testimonials - you can find these at www.my-data-source.com/testimonials.php - they all look fantastic, but in fact they turn up for all sorts of different sites on the web and clearly do not relate to My-Data-Source.com directly.

The so-called testimonials give a clue though - many of these are on "cookie cutter" sites, basically the same site with a different name. That's never a good sign as it looks like someone is trying to hide something. Sites that appear to be largely the same are:

  • my-data-team.com
  • global-data-entry.com
  • mydatateam.net
  • earn-clickhere.com
  • mydatateamjobs.com
  • mydataentryjobs.net
  • my-data-source.com
  • onlinedataworkjobs.co.uk
my-data-team.com is the longest established of these sites, registered in 2006 to someone called Gary Endres in Concord, California. It does seem to have a verifiable address, but comes with a poor rating at the BBB. But although the text content is largely the same as My-Data-Source.com, the site layout is different.. but they both have the same testimonials!

onlinedataworkjobs.co.uk takes exactly the content and claims to have been in business for 5 years, although the domain was only registered on 14th May 2009 to a company called "United Service Solutions" (who are not listed anywhere as a UK company) apparently based out of a flat in Bristol. Doesn't fill you with confidence, eh?

Where it is possible to find a registrant for these sites, then they all appear to be different. So, either they are reselling some else's "work at home" product, or they are just copy-and-pasting content from someone else.

There are very few clues as to the owner of My-data-source.com except for the name "Mike P Sanders" embedded in the affiliate link. When you try to sign up for program, eBay gives an email address of mikepsanders@gmail.com

..but here's an oddity, when the domain was originally registered, the registrant was "Lyndon Dave Ardimer"and a straight Google for that name points to a website called primemarketers.com which contains a number of ads for various schemes.. including My-data-source.com posted by Mike Sanders. So, is Mike P Sanders actually Lyndon Dave Ardimer? Or it this Derek Lindsay? Or Timothy Darwin (who's name appears on many of these sites)? At this point, the lead vanishes into a mass of affiliate programs and offshore marketers.

So who is My-Data-Source.com? As you can see, it is difficult if not impossible to determine if there's a real company involved anywhere in this scheme. Should you shell out $50 to join up with a company with no discernible history or physical location? Almost every consumer advice site says that you shouldn't get involved in any type of work-at-home scheme unless you can verify real contact details.. so on that basis, perhaps give this one a miss!

Friday 13 November 2009

warmfuzzylove.com scam

Another dating scam, but they could even be bothered with a picture of a pretty Russian girl.

Subject: re:
From: "jody"
Date: Fri, November 13, 2009 10:49 pm

Hi there:

My name is jody. I was just looking at your picture online and i would
love to chat with you tonight. i just moved close to you and i have no
friends yet :(

you can send a message to my private email jody@warmfuzzylove.com

i would love to hear from you !!!!
warmfuzzylove.com was registered with anonymous details on 4th November 2009 and is hosted on 98.126.22.178 which also handles all the mail. The same server also hosts personals-online.net and singasong4u.com, both also recently registered with anonymous details.

Of course, "Jody" is probably a fat middle-aged man from a former Soviet Republic who will unexpectedly need some money wiring to them. Avoid.

Thursday 12 November 2009

support@nacha.org: "Please review the transaction report"

This is the Zbot trojan or something, very much like this one.


From: Electronic Payments Association [mailto:support@nacha.org]
Sent: 12 November 2009 14:58

Subject: Please review the transaction report


Dear bank account holder,
The ACH transaction, recently initiated from your bank account (by you or any third party), was rejected by the Electronic Payments Association. Please review the transaction report by clicking the link below:

Unauthorized ACH Transaction Report

------------------------------------------------------------------
Copyright ©2009 by NACHA - The Electronic Payments Association



The underlying link goes to nacha.org.fffazsf.org.uk which is itself hosted on some sort of Fast Flux botnet. The landing page attempts to get a user to download report.exe ( a Zbot variant). It also opens an IFRAME to 121.12.170.177 in China, a well-known malware domain.



VirusTotal shows patchy detections, still being analysed by ThreatExpert.

The domain name registration is obviously fake:


Domain name: fffazsf.org.uk
Registrant:
Matthew Hughes
Registrant type:
Non-UK Individual
Registrant's address:
203 Striding Ridge Drive Goldsboro 3881 Belgium
Registrar:
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
URL: http://www.123-reg.co.uk

Relevant dates:

Registered on: 12-Nov-2009

Renewal date: 12-Nov-2011
Last updated: 12-Nov-2009
Registration status:
Registration request being processed.
Name servers: ns1.pa-estate.com ns1.tradesdomains.net
Dig deeper at pa-estate.com and we see a familiar email address:

Name : Michell
Organization : Michell

Address : 8663 Sudley Road
City : Manassas
Province/State : beijing

Country : United States

Postal Code : 20108

Phone Number : 571-866-7585793

Fax : 571-866-7585793

Email : Michell.Gregory2009@yahoo.com


A Google Search for that address comes up with over 24,000 references!

tradesdomains.net is registered differently:

Dolorous Lane
fergunis@gmail.com

512 Stonegate Pl

Brentwood
TN

37027

US

Phone: +1.6155546664


ns1.pa-estate.com and ns1.tradesdomains.net are hosted at 207.210.101.253 (Global Net Access, LLC ) which also hosts puioypai.org which looks suspect too. ns2.tradesdomains.net is on 195.178.190.48 (Bahnhof Internet, Sweden).

Added: the email comes from several different addresses, including:
  • report@nacha.org
  • support@nacha.org
  • info@nacha.org
Subjects include:
  • Your ACH transaction was rejected by The Electronic Payments Association (NACHA)
  • Please review the transaction report
  • Your ACH transaction was rejected
Domains spotted so far:
  • nacha.org.tttteacf.co.uk
  • nacha.org.tttteacx.org.uk
  • nacha.org.redaczxm.me.uk
  • nacha.org.fffazsx.co.uk
Some additional nameservers:
  • ns1.pa-estate.net
  • ns1.video-format.com

Tuesday 10 November 2009

media-servers.net hit bu superkahn.ru injection attack

media-servers.net is some sort of advertising agency that doesn't advertise who it belongs to and hides its WHOIS details behind privacy protection. A look at the historical WHOIS records show the following contact details:

Registrant:
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel

Domain Name: MEDIA-SERVERS.NET
Created on: 19-Sep-04
Expires on: 19-Sep-13
Last Updated on: 17-Feb-09

Administrative Contact:
Administrator, Domain domadmin@netposition.com
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel
+972.9723928600 Fax --

Technical Contact:
Administrator, Domain domadmin@netposition.com
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel
+972.9723928600 Fax --
Their site is infected with injected code pointing to superkahn.ru:8080/index.php - probably the people who own media-servers.net know nothing about it, but they don't make it easy to be contacted.

superkahn.ru is registered to:

domain: SUPERKAHN.RU
type: CORPORATE
nserver: ns1.freeonlinednshost.com.
nserver: ns2.freeonlinednshost.com.
nserver: ns3.freeonlinednshost.com.
nserver: ns4.freeonlinednshost.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 4912 219900
e-mail: dibs@freemailbox.ru
registrar: NAUNET-REG-RIPN
created: 2009.10.28
paid-till: 2010.10.28
source: TC-RIPN

This is multihomed on:
91.121.88.218 (OVH, Paris)
91.121.108.53 (OVH, Paris)
94.23.211.214 (OVH, Paris)
94.75.198.241 (Leaseweb, Amsterdam)
82.192.88.35 (Leaseweb, Amsterdam)

Websense report that this runs a variety of exploit attempts against unpatched Microsoft and Abode products. Quantcast figures say that almost a million US visitors access this site per month, so a lot more worldwide.

Friday 6 November 2009

"Congratulations!! You have won todays Macbook Air.".

Another day, another badly detected trojan:

Subject: Congratulations
From: "Media Service"

Congratulations!! You have won todays Macbook Air.
Please open attached file and see datails.

Attachments:
winner.zip 21 k [ application/zip ]


winner.zip contains winner.exe detected by some products as the Sasfis Trojan.

ThreatExpert report is here, malware phones home to 193.104.27.4 and 193.104.27.91 in the Ukraine.

Thursday 5 November 2009

BBC websites down - possible DDOS attack?

The BBC's websites (e.g. news.bbc.co.uk and www.bbc.co.uk) are either down or very slow to respond from multiple ISPs and countries. It feels like a DDOS attack, but I cannot confirm it.

It's not trending on Twitter yet, but you can see that it's a widespread issue in real time. The BBC was subject to a major DDOS attack almost exactly a year ago.


Update: the BBC have a statement blaming "network problems" here. Perhaps they should be blaming Siemens?

Wednesday 4 November 2009

Cracking logo, Gromit

Google celebrates 20 years of Wallace and Gromit. Genius.