McAfee has flagged up another mass defacement on their blog here, various sites have been injected with a reference to hxxp:||www.2117966.net|fuckjp.js (I assume that you can undo the trivial obfuscation if you really, really want to look).
A Google search for 2117966 fuckjp.js shows over 9000 hits. Obviously you won't want to visit any of these infected sites, so take care.
However, one of the sites showing up is trendmicro.com (see screenshot). At the time of writing, the Trend Micro site has been cleaned up, and it looks as though the infection wouldn't have worked on that particular site. Nonetheless, it is always worrying when you see a security vendor site compromised in this way. This isn't the first time this has happened to this type of site - CA.com was infected back in January.
The Google cache gives away the infection (use WGET, SamSpade or a non-Windows machine to examine the cache, never a full blown browser on a Windows system).
This is the current (clean) version of www.trendmicro.com/vinfo/grayware
/ve_graywareDetails.asp?GNAME=TSPY_LINEAGE&VSect=St
The infected version (from the cache) shows the altered code:
A close look at the code shows that the injection has been borked somewhat and wouldn't actually work. However, there were potentially hundreds of infected pages, some of which may have been more successful in injecting malware.
The date of the Google cache is or or about 4th March, so a week ago.
2117966.net is on 125.46.105.224 in China, at the time of writing the site is down, however the Google cache comes up with something funny for the front page:
Hacker humour?
Anyway, I have no particular axe to grind against Trend Micro, they have a decent set of products and are one of the more useful companies in the security arena. Again, it just goes to show that even trusted sites can be compromised.
Thursday, 13 March 2008
trendmicro.com compromised - sort of.
Labels:
Iframe attacks,
Viruses
Monday, 10 March 2008
Truckerjobsearch.com - spam, scam or stupidity?
I'm not interested in trucks, there is no reason for anyone to send me an email about trucking. And usually, when I see email about "transportation" jobs, then it tends to be some sort of money mule scam.
So a spam email advertising truckerjobsearch.com rang alarm bells - it certainly seemed to tick all the boxes for a scam operation. But is it a scam?
Originating IP is 199.239.248.221 which identifies itself as truckerout.com, the spamvertised site is hosted on 161.58.218.47. Both servers are hosted by NTT America Inc.
An investigation into the domain names and registration details shows that the sites appear to be legitimate, the sending IP address and the rDNS matches the advertised sites. There is no indication that these sites are not exactly what they say they are. So what gives?
The most common explanation for seeing spam of this type is that the operators have been conned into buying a CD that promises millions of email addresses for a very low price. Very often, these are simply scraped from web sites, or can even be just completely made up.
In all likelihood, the person marketing for this company has bought a bad mailing list in good faith. It doesn't mean that they are not a spammer (the email is certainly not CAN SPAM compliant), but it goes to demonstrate just how easy it is to damage your reputation by mismanaging an email campaign. Buying in mailing lists is best avoided, and even reputably list brokers can sell lists that have been contaminated with bad data. The only real way to be certain is to collect your own lists, if you have to buy them in then you need to research the company you are dealing with to ensure that they really exist and are wholly above board.
So a spam email advertising truckerjobsearch.com rang alarm bells - it certainly seemed to tick all the boxes for a scam operation. But is it a scam?
Trucking Companies & Trucking Recruiters
Need to Hire More Class A Truck Drivers?
Let Trucker Distribution Inc Save your Recruiters Time & Money.
LIMITED TIME OFFER
ONLY $400.00 per month
FREE TOP BANNER ON ALL FOUR WEBSITES
NOW for ONLY $400.00 per month you can:
Receive on Average 30-50 New Truck Driver Applications Daily
(Depending on your company criteria)
Get a Top Banner on Four Premium Websites
Get a Side Profile Banner on Four Premium Websites
Hire More CDL Truck Drivers for Less
Cut Your Recruiting Budget in Half
NewTruckDrivingJobs.com
MonsterTruckDriverJobs.com
TruckerGeek.com
TruckerJobSearch.com
We are so confident in our service, that we will give your company a
FREE 24 Hour Trial via our E-MAIL system.
(Applications over the web)
Combination Rates
"All 4 Websites"
Daily Applications via Email
Side Profile Banners
Only $500.00 per month
"All 4 Websites"
Daily Applications via Email
Side Profile Banners
Data Base Access
Only $600.00 per month
"All 4 WebSites"
Daily Applications via Email
Side Profile Banners
Database Access
Featured Top Banner
Only $700.00 per month
"All 4 WebSites"
Daily Applications via Email
Side Profile Banners
Database Access
Featured Top Banner + Bottom Banners
Plus Brochure Distribution
Only $800.00 per month
---------------------------------------------------------
Individual Services:
"Brochure Distribution"
Only $450.00 per month
(150 Truck Stops )
"Top Banner"
Only $250.00 per month
(Website of Choice)
"Bottom Banner"
Only $200.00 per month
(Website of Choice)
Let Trucker Distribution build a custom package for your company TODAY!
For a FREE Trial Click Here or Call:1-888-675-5551
Originating IP is 199.239.248.221 which identifies itself as truckerout.com, the spamvertised site is hosted on 161.58.218.47. Both servers are hosted by NTT America Inc.
An investigation into the domain names and registration details shows that the sites appear to be legitimate, the sending IP address and the rDNS matches the advertised sites. There is no indication that these sites are not exactly what they say they are. So what gives?
The most common explanation for seeing spam of this type is that the operators have been conned into buying a CD that promises millions of email addresses for a very low price. Very often, these are simply scraped from web sites, or can even be just completely made up.
In all likelihood, the person marketing for this company has bought a bad mailing list in good faith. It doesn't mean that they are not a spammer (the email is certainly not CAN SPAM compliant), but it goes to demonstrate just how easy it is to damage your reputation by mismanaging an email campaign. Buying in mailing lists is best avoided, and even reputably list brokers can sell lists that have been contaminated with bad data. The only real way to be certain is to collect your own lists, if you have to buy them in then you need to research the company you are dealing with to ensure that they really exist and are wholly above board.
Labels:
Spam
Thursday, 6 March 2008
StampOffers.com - Spam or Joe Job?
There's a whole bunch of spam doing the rounds as follows:
Subject: Sell for FREE Forever !!!!!!!!!!!!!!As you would expect, no such "opt in" authorisation has been given.
From: stampoffers@yahoo.com
Date: Thu, March 6, 2008 3:21 pm
The idea for StampOffers.com developed in the summer of 2002.
It all started with the creation of a chat board outside of eBay that would allow fellow philatelist the ability to talk about anything without being criticized for not maintaining a strictly philatelic conversation. Those who have made a non-philatelic post to the eBay stamp chat board know what it is like. There was a discovery on this new chat board that collectors would like to buy, sell, and trade among those who visited the chat and a few of the frequent users asked about someone starting an auction site just for stamp collectors. In January of 2003, StampOffers.com was launched!
There was much back and forth about whether StampOffers.com would be able to draw enough users and continue a steady growth and it was decided that the only way to do this was to operate with one philosophy – provide a viable alternative on the world wide web in which collectors from around the world could buy, sell, and trade stamps in an effort to further the hobby. Oh yeah…..and do it for FREE!!
To this day, StampOffers.com provides a site that allows sellers to enter a basic listing with NO INSERTION FEE and NO FINAL VALUE FEE. So how does StampOffers.com continue to operate without collecting fees? Well, let’s just say it is a combination of fellow collectors who are very appreciative of StampOffers.com’s existence combined with StampOffers.com’s desire to contribute to the hobby of philately!
Therefore, go ahead and use the site as much as you wish! The only real favor that is asked is that you pass the word about StampOffers.com. Tell your customers, your fellow collectors, your stamp club friends, your local stamp dealer, and anyone else whom you believe would be as appreciative of the site as those who are using it today.
Thank you,
StampOffers.com - The World Is Finding Us!
Join Now
James Munch
You are receiving this mailing because you agreed to be a part of our opt in mailing list.
There are a couple of things that are odd about the spam - first of all it seems quite unlikely that a philately site would send out this type of email, the mail is sent out repeatedly to the same address (in an apparent attempt to annoy the recipient), and it has been aimed at a spamcop.net account which perhaps indicates that "reverse listwashing" is taking place to ensure that the mail does get reported as spam.
These are all classic indications of a Joe Job - a fake spam message sent by a third party in order to cause trouble, presumably in an attempt to shut StampOffers.com down. Joe Jobs can be hard to spot, but this certainly seems to tick all the boxes.
As of 6th March 2008, the emails are being sent from a server at 74.86.158.8 through a PHP script which fingers 64.74.124.39 as the possible sending IP. This latter email address is interesting because it belongs to an Autosurf scheme called autosurfunion.com - interestingly the same server has been used for this other apparent stamp related Job Job, presumably the autosurf server is being used as a proxy.
The line in the header to look for is:
X-PHP-Script: 74.86.158.8/~ez123/conf.php for 64.74.124.39
64.74.124.39 is operated by Globalcon.net (contact email appears to be reyner -at- globalcon.net), so try sending any abuse reports their way. Also the 74.86.158.8 server with the insecure redirector should be reported to abuse -at- greenolivetree.net or perhaps via their web form.
Incidentally, this is what StampOffers.com has to say on the subject:
24 February 2008 - SPAM EMAILSI tend to concur with StampOffers.com - there are lots of signs to indicate that this is a Joe Job attack, so if you receive on, please analyse the headers carefully and report to the correct service provider.
This is a special announcement about a rash of SPAM emails going out.
First, let me apologize for this occurring. StampOffers.com does NOT send out SPAM emails!! The only emails that are sent are to those who are members of StampOffers.com.
Recently, there was an individual who gained access to the site as a bidder and placed a number of fake/fradulent bids. This user created 3 different ID's and attempted to wreak havoc with each one. It appears we have finally been able to block this person from accessing the site and thus has turned to another form of cowardly entertainment.
These emails ARE NOT coming from StampOffers.com, our host, nor any server that our host runs. Our host is working with me to file the proper complaints as seen below:
I am trying everything I can to stop this and apologize to everyone. I would like to ask your assistance. When receiving these emails, contact the ISP you find in the header and point them to this board.
I am a private individual who has been running this site for 5 years. I have no interest in making money (I provide the site for FREE for everyone to use) and definitely have no desire to send out SPAM emails.
Please, if you have any questions, feel free to use the contact button below and let me know.
Thank you for your patience and understanding.
James C. Munch
Monday, 3 March 2008
RavMon.exe virus on new Toshiba Satellite laptop
A few days ago I bought a very inexpensive Toshiba Satellite L40-18Z laptop from Comet in the UK. It's a basic laptop running Windows Vista, and it is certainly good enough for web browsing and wordprocessing.
But this particular laptop came with something extra. Despite the security seals being intact, and the OS having never been activated, the laptop came with a file called RavMon.exe on the C: and E: partitions.
RavMon.exe is an insidious virus that spreads on USB keys and drives, so it seems likely that this laptop was infected during the manufacturing process, despite having Symantec Anti-virus installed.
Of course, the first thing I did was remove Symantec and install ZoneAlarm, and ZA's Kaspersky anti-virus engine found RavMon.exe pretty much straight away. Thinking it was a false positive, I sent it to VirusTotal and the results speak for themselves.
Luckily, the machine wasn't actually infected, but the .exe file was sitting there waiting to be clicked. Symantec would have detected this if it had updated in time, and as it is most AV products will detect the virus.
It just goes to show that you can't necessarily trust a PC straight out of the box.
But this particular laptop came with something extra. Despite the security seals being intact, and the OS having never been activated, the laptop came with a file called RavMon.exe on the C: and E: partitions.
RavMon.exe is an insidious virus that spreads on USB keys and drives, so it seems likely that this laptop was infected during the manufacturing process, despite having Symantec Anti-virus installed.
Of course, the first thing I did was remove Symantec and install ZoneAlarm, and ZA's Kaspersky anti-virus engine found RavMon.exe pretty much straight away. Thinking it was a false positive, I sent it to VirusTotal and the results speak for themselves.
File RavMon.exe received on 03.03.2008 20:38:32 (CET) | |||
Antivirus | Version | Last Update | Result |
AhnLab-V3 | 2008.3.4.0 | 2008.03.03 | Win-Trojan/Xema.variant |
AntiVir | 7.6.0.73 | 2008.03.03 | TR/Agent.Abt.33 |
Authentium | 4.93.8 | 2008.03.02 | W32/Trojan.NAT |
Avast | 4.7.1098.0 | 2008.03.02 | Win32:Agent-EDN |
AVG | 7.5.0.516 | 2008.03.03 | Generic3.NKU |
BitDefender | 7.2 | 2008.03.03 | Trojan.Downloader.Chacent.A |
CAT-QuickHeal | 9.50 | 2008.03.03 | Trojan.Agent.abt |
ClamAV | 0.92.1 | 2008.03.03 | Trojan.Agent-3327 |
DrWeb | 4.44.0.09170 | 2008.03.03 | Win32.HLLW.Autoruner.198 |
eSafe | 7.0.15.0 | 2008.02.28 | Suspicious File |
eTrust-Vet | 31.3.5582 | 2008.03.03 | Win32/Compfault.C |
Ewido | 4.0 | 2008.03.03 | Trojan.Agent.abt |
FileAdvisor | 1 | 2008.03.03 | - |
Fortinet | 3.14.0.0 | 2008.03.03 | - |
F-Prot | 4.4.2.54 | 2008.03.02 | W32/Trojan.NAT |
F-Secure | 6.70.13260.0 | 2008.03.03 | W32/Agent.CUTV |
Ikarus | T3.1.1.20 | 2008.03.03 | Trojan.Win32.Agent.abt |
Kaspersky | 7.0.0.125 | 2008.03.03 | Trojan.Win32.Agent.abt |
McAfee | 5243 | 2008.03.03 | New Malware.eb |
Microsoft | 1.3301 | 2008.03.03 | Worm:Win32/RJump.F |
NOD32v2 | 2918 | 2008.03.03 | Win32/AutoRun.FQ |
Norman | 5.80.02 | 2008.03.03 | W32/Agent.CUTV |
Panda | 9.0.0.4 | 2008.03.03 | Generic Malware |
Prevx1 | V2 | 2008.03.03 | Generic.Malware |
Rising | 20.34.02.00 | 2008.03.03 | Trojan.DL.MnLess.n |
Sophos | 4.27.0 | 2008.03.03 | Troj/QQRob-ADL |
Sunbelt | 3.0.906.0 | 2008.02.28 | - |
Symantec | 10 | 2008.03.03 | W32.Nomvar |
TheHacker | 6.2.92.231 | 2008.03.02 | - |
VBA32 | 3.12.6.2 | 2008.02.27 | Trojan.Win32.Agent.abt |
VirusBuster | 4.3.26:9 | 2008.03.03 | Packed/nPack |
Webwasher-Gateway | 6.6.2 | 2008.03.03 | Trojan.Agent.Abt.33 |
| |||
Additional information | |||
File size: 48640 bytes | |||
MD5: 5557dd0fd5565f12a71c92e6aad7088f | |||
SHA1: 1dd1be78715ff68354967adadc8b6990706caafa | |||
PEiD: - | |||
packers: NPack | |||
Prevx info: |
Luckily, the machine wasn't actually infected, but the .exe file was sitting there waiting to be clicked. Symantec would have detected this if it had updated in time, and as it is most AV products will detect the virus.
It just goes to show that you can't necessarily trust a PC straight out of the box.
Labels:
Viruses
Wednesday, 27 February 2008
Dating Scam Sites VI
The return of a persistent spam.. which means that plenty of people are falling for it.
Hello! I am bored today. I am nice girl that would like to chat with you. Email meOf course, the nice girl is going to be a hideous troll or some ugly middle aged chickenboner. Whoever you are talking to, the aim is usually to bilk you out of a large pile of cash.
at Ebba@ThePaganDoorway.info only, because I am using my friend's email to write
this. If you would like to see my pictures.
Current domains in this run are as follows:
- Oldgloryshirts.info
- Prideboundx.info
- Selfhealdirect.info
- Shineplug.info
- Shinestick.info
- Shinyglowstick.info
- Superdoorway.info
- Thedoorwaybeyond.info
- Thedoorwaydomain.info
- Thedoorwaygenerator.info
- Theglowpup.info
- Thegoldendoorway.info
- Thehealcare.info
- Thepagandoorway.info
- Unitedimprove.info
Tuesday, 26 February 2008
Another dating scam
Dating scams are increasingly common and are something that I've blogged about before. It's really just a variation of the 419 Advanced Fee fraud scam, except the bait this time is usually a pretty Russian girl.
Of course, the email is going to be from some ugly middle aged Russian bloke rather than an attractive young lady, but at least this one has the decency to include a couple of photos of someone who will have nothing to do with the scam at all.
Hi! I'm a single girl and I'm 26 years old. Please take a look at my pictures and let me know if you like them! I live in Russia and I'm going to come to your country and work over there very soon! I don't know anybody over there and I thought it would be great to meet someone who is open to anything (as I am!). I would be happy to be friends, lovers or create a serious relationship! We will see what happens!
I hope you will write me back and I will write more info about myself and send more
photos!!!!!!!!!!!
I am writing from my friend's email address, so please make sure you do not reply directly to this email. Email me at nrochestetd0@yahoo.co.uk only.
if you don't use my personal email address then I won't be able to read your
reply and write you back. So it is very important that you get it
right.
Ok, I guess it is now your turn. Hope to hear from you today. Bye!!
btw, i got your email from dating website
Of course, the email is going to be from some ugly middle aged Russian bloke rather than an attractive young lady, but at least this one has the decency to include a couple of photos of someone who will have nothing to do with the scam at all.
Labels:
Dating Scams,
Scams,
Spam
DAIYA PR Co Scam
Scammers can be quite funny - this one is from someone pretending to be DAIYA PR of Japan.
Job opportunity from DAIYA PR Co., JapanGotta love the bit that says "This not any kind of: MLM, scam, spam." Clearly a big company like DAIYA PR would be soliciting replies to a Gmail address (only.. don't send it to the real company by mistake, will you?). In this case the email originates from 88.233.203.233 which is a compromised machine in Turkey.. not Japan.
Job Location World
Company Location Japan
Employment Type Employee
Salary $7,500.00/month + BONUS system
Send your profile/resume/CV to this e-mail only:
smith.is.dennis@gmail.com
DAIYA PR Co., Japan is expanding! This is job opportunity from famous Japan Corporation. Not just any opportunity but one that can make your career fun and rewarding. We have various positions over all US. You don’t need to move out from US, this job located in USA. If you are have all requirements you NEED to send us your resume or profile or CV for qualification. You will receive back our opinion in 1-2 days. Hurry up, this job opportunity is limited.
Requirements and skills:
1. Higher Education/College
2. 1+ Sales/Management (desired but optional)
3. Strong communicative skills
4. Must have MS Office installed (MS Word)
5. Must have U.S. citizenship
6. Adult age
This is original e-mail letter from DAIYA PR Co. This not any kind of: MLM, scam, spam. We will never ask to you to provide any kind of investments.
It isn't absolutely clear what the scam is, but they are usually money laundering operations or sometimes setting up fake companies or identities. The best thing to do is steer clear.
Note: DAIYA PR is a real company and is not connected with this scam email being sent out in its name.
Thursday, 7 February 2008
"Metrix Ventures" scam email
Some sort of modelling scam, sent to an email address from a data breach at an online retailers so you KNOW that it's a fraud. Company name given is Metrix Ventures which appears to be completely bogus, and is not related to any company of a similar name.
Originating IP is 194.126.173.16, which is probably a compromised server. It amusingly identifies itself as project-crime.com in the email headers!
Subject: Job Offer
From: "Gary Pole"
Date: Thu, February 7, 2008 1:41 pm
Hello,
My name is Gary Pole. Am freelance modeling agent working for Metrix Ventures which
is based in the US and has branches also in Europe.I would like us to do some works
together. I presently have good offer for you.I want to know if you are interested
in modeling because I need pictures of a good looking person (male or female) who
will be on the magazine cover of one of my clients. Please let me know if you are
interested in the deal. You stand a chance of making reasonable money and 150 Pounds
from this deal to start, and even a noticeable fame. Let me know if you are
interested in my offer and I would give you further details.
Best Regards,
Gary.
Originating IP is 194.126.173.16, which is probably a compromised server. It amusingly identifies itself as project-crime.com in the email headers!
Monday, 4 February 2008
Fake "Benjamin Vincent Solicitors" mail
Another money mule fraud, this time using the name "Benjamin Vincent Solicitors".
Now, Benjamin Vincent Solicitors are a real company and have nothing whatsoever to do with this fraud (you can see their details here). The scammers have used the correct address, but the "+44 7717" number is a mobile phone, not a landline. In other words, this fraud is attempting to trade of the name of a wholly innocent firm. The email addresses bvsolicit@yahoo.com and bvsolicitors@hotmail.co.uk are associated with this scam.
Tsk tsk.
Subject: Business Proposal
From: "Benjamin Vincent"
Date: Mon, February 4, 2008 11:13 am
To: undisclosed-recipients:;
Priority: Normal
Dear Sir/Ma’am,
I want to ask your attention to receive money on my behalf and it will
be for our mutual benefits.
Please call me if you are interested and on your response, I will send
you the full details and more information about myself and the funds.
Yours sincerely,
Benjamin Vincent
Benjamin Vincent Solicitors
49, High Street Wanstead
London
E11 2AA
Tel: +44 771 719 0188.
Now, Benjamin Vincent Solicitors are a real company and have nothing whatsoever to do with this fraud (you can see their details here). The scammers have used the correct address, but the "+44 7717" number is a mobile phone, not a landline. In other words, this fraud is attempting to trade of the name of a wholly innocent firm. The email addresses bvsolicit@yahoo.com and bvsolicitors@hotmail.co.uk are associated with this scam.
Tsk tsk.
Saturday, 2 February 2008
moneybookers.com / xcitinggames.com phish
It's unusual to see a moneybookers.com phish, but perhaps it shows that the phishers are moving on to different targets. This particular phish reads:
Greetings from moneybookers.com! We would like to inform you that you have received a payment from banking@xcitinggames.com.
Payment details
Amount: . 147.00
ID: 89089098
Subject: received payment
Note: Click here to accept this payment
Your money is waiting for you in your Moneybookers account.
Use this link to accept payment- www.moneybookers.com.
We hope you enjoy your cash.
One other notable feature of this phish is the use of an AOL redirector to attempt to fool spam filters, in this case eventually pointing to http://195.234.171.86/app/login.pl/index.htm which is a server in Italy, probably rented with stolen credit card details.
Neither moneybookers.com nor xcitinggames.com are involved in this phish. I understand that AOL have been told about their redirector problem several times but have not acted.
Saturday, 19 January 2008
River Great Ouse, Bedford: 19/1/08
I know that it's winter, but in the UK we've had nothing but rain, rain and more rain. Our local river is right up to banks and with nothing but rain forecast for the next few days.. well, I'm just glad I don't live next to it.
Wednesday, 16 January 2008
"Colls Solution Company" Scam Email
This is a UK-target scam, using email addresses harvested from an online retailer who had a security breach.
This one appears to be more that just the usual advanced fee fraud or money laundering though.
If you get one of these, forward it to abuse -at- mail.com who handle email for the representative.com domain.
This one appears to be more that just the usual advanced fee fraud or money laundering though.
Subject: JOB OFFERNote that they say the job is "Handling all applications with regards to new clients that will like to register a company in uk and what you will be doing is Filing all papers from these individual companies which will be sent over to you under that companies name." In other words, the victim will be used as a front to create bogus offshore companies. And when those companies do something criminal, then the UK-based victim will be the one to get into trouble.
From: "COLLS SOLUTION COMPANY"
Hello
We are offering a temporary job which really do not
require any professional skills.
You really don't have to have any professional skills
for this. All we are looking for right now is Uk based
individual to handle paper work, file documents and
handle payroll administration to our clients in Uk.
What will be required from you is few hours a day and
also to pay very close attention to all instructions
given to you.
Your Job will be; Handling all applications with
regards to new clients that will like to register a
company in uk and what you will be doing is Filing all
papers from these individual companies which will be
sent over to you under that companies name.
Salary terms; 120 pounds per job Get back to
us through the email address below if you are
interested in the job offer.
Please get back to me with the following details.
FULL NAME
FULL ADDRESS
E-MAIL ADDRESS
AGE
SEX
PRESENT EMPLOYMENT
MARITAL STATUS
WHEN WOULD LIKE TO START
All replies should to be forwards to the company e-mail address.
private_solutions@representative.com
Regard,
DEBRA COLLINS
If you get one of these, forward it to abuse -at- mail.com who handle email for the representative.com domain.
Monday, 14 January 2008
The BBC iPlayer in a corporate environment
The BBC have spent a lot of time and money developing the BBC iPlayer it turns out that it's just another P2P application running on Kontiki.
So, I've written a guide for corporate IT departments giving them a pointer as to what the iPlayer is all about and how to block it - which it turns out should be easy enough!
Blocking BBC iPlayer, 4OD and Sky-by-Broadband
So, I've written a guide for corporate IT departments giving them a pointer as to what the iPlayer is all about and how to block it - which it turns out should be easy enough!
Blocking BBC iPlayer, 4OD and Sky-by-Broadband
Labels:
security
CA PestPatrol false positive - NeoSpy / rarsfx0 directory / WinRAR
Another false positive doing the rounds, this time in CA's PestPatrol software which is incorrectly identifying %profile%\local settings\temp\rarsfx0 as being part of part of the rogue NeoSpy package (see here for CA's description).
In fact, the rarsfx0 directory is just a temporary folder created by RARLAB's WinRAR application - that's a harmless commercial file packager. This folder looks to have been included accidentally in a PestPatrol signature released on 9th January.
Note that if you have PestPatrol installed with the faulty signature, then WinRAR archives may not unpack properly.
In fact, the rarsfx0 directory is just a temporary folder created by RARLAB's WinRAR application - that's a harmless commercial file packager. This folder looks to have been included accidentally in a PestPatrol signature released on 9th January.
Note that if you have PestPatrol installed with the faulty signature, then WinRAR archives may not unpack properly.
Labels:
CA,
eTrust,
False Positive,
PestPatrol
Sunday, 13 January 2008
Arcanely Worded Scam of the Month Award
OK, so I don't really have an Arcanely Worded Scam of the Month Award, but if I did then this rather bizarre email would count. It is, of course, a standard Advanced Fee Fraud pitch, but the almost Shakespearean wording is something else..
Subject: PLEASE RESPOND ASAP!!
From: "Timms David"
Hello,
It gives me a great deal of pleasure to write you this mail and even when it might
come to you as a surprise, I hope you find it of interest. Let me first introduce
myself. My name is David Timms. I am an Executive Auditor with a Bank here in Europe
, I would like to use this means to ask your assistance in moving some fund over to
your country. I have in the course of my duties come in contact with a good amount
of Fund that have been inactive for some years now and careful investigation proved
the original depositor of the fund died five years ago and all attempt to reach the
suppose beneficiary of the deposit were fruitless and before it is forfeited to the
state I decided to move it. It is of interest to inform you also that I have already
moved this fund out of the Establishment and now in safe keeping with a Finance and
security house, I will like to move it outside now and this is were I need your
assistance. After legal consultation, I have established modalities for!
a secured way for a perfect transaction., but be most assured that for your
assistance and partnership you will get a good percentage of the fund, it is
important to let you know that fifty percent of the rest will be invested over
there under your management for a negotiable period of time and we will open a
fruitful dialog very soon to that effect. I look forward to our working closely in
practically seeing this transaction come to a perfect end. For effective
communication, please kindly include in your reply, your complete Names, Address,
Occupation, Age and most especially your contact number and I will contact you as
soon as I get your reply. I look forward to hearing from you and my gratitude for
your Patience.
Respectfully yours,
Timms David.
Eh? "I have established modalities for a secured way for a perfect transaction"?
Subject: PLEASE RESPOND ASAP!!
From: "Timms David"
Hello,
It gives me a great deal of pleasure to write you this mail and even when it might
come to you as a surprise, I hope you find it of interest. Let me first introduce
myself. My name is David Timms. I am an Executive Auditor with a Bank here in Europe
, I would like to use this means to ask your assistance in moving some fund over to
your country. I have in the course of my duties come in contact with a good amount
of Fund that have been inactive for some years now and careful investigation proved
the original depositor of the fund died five years ago and all attempt to reach the
suppose beneficiary of the deposit were fruitless and before it is forfeited to the
state I decided to move it. It is of interest to inform you also that I have already
moved this fund out of the Establishment and now in safe keeping with a Finance and
security house, I will like to move it outside now and this is were I need your
assistance. After legal consultation, I have established modalities for!
a secured way for a perfect transaction., but be most assured that for your
assistance and partnership you will get a good percentage of the fund, it is
important to let you know that fifty percent of the rest will be invested over
there under your management for a negotiable period of time and we will open a
fruitful dialog very soon to that effect. I look forward to our working closely in
practically seeing this transaction come to a perfect end. For effective
communication, please kindly include in your reply, your complete Names, Address,
Occupation, Age and most especially your contact number and I will contact you as
soon as I get your reply. I look forward to hearing from you and my gratitude for
your Patience.
Respectfully yours,
Timms David.
Eh? "I have established modalities for a secured way for a perfect transaction"?
Wednesday, 9 January 2008
eTrust ITM 8.1 fails to update
I've been grappling with a strange problem with eTrust ITM 8.1 for a couple of weeks - the software installs just fine, but the signature updates never apply. The problem occurs on a whole batch of machines that aren't exactly related, but which were all bought in early 2005.
The eTrust Distribution log shows the following:
After working with our reseller we discovered the problem - it's not a problem with eTrust, but instead a very strange permissions issue that has happened with those PCs. What has happened is that the computer's SYSTEM account (which the eTrust services run under) doesn't have access to write to that part of the disk, despite having permissions explicitly set.
In the case of eTrust, the fix is to open up the Services control panel (Start.. Run.. services.msc), and then.
Of course, you can also do this all remotely with the Computer Management tool and something like PSKILL (from PSTools), so you don't have to be sitting at the machine to do it.
As I said, I don't believe that this is an eTrust problem, it looks as though Windows is borked somehow, possibly an issue with SIDs or something. I have a feeling that other software misbehaves, possibly including Active Directory policies. I have no solution other than a complete rebuild, but if you're struggling to get eTrust updating properly, then I would definitely look at the user rights for the service.
The eTrust Distribution log shows the following:
Completed Time Type Code DescriptionNote that there are always 16 lines in the log.. the update process starts but never completes, and there's no error message.
09-Jan-2008 08:46:11 Information 0 1) Selected component "eTrust Antivirus Arclib Archive Libra...
09-Jan-2008 08:46:11 Information 0 2) Selected component "eTrust Antivirus Base"
09-Jan-2008 08:46:11 Information 0 3) Selected component "eTrust Antivirus Realtime Drivers"
09-Jan-2008 08:46:11 Information 0 4) Selected component "iGateway"
09-Jan-2008 08:46:11 Information 0 5) Selected component "eTrust ITM Common"
09-Jan-2008 08:46:11 Information 0 6) Selected component "eTrust ITM Agent GUI"
09-Jan-2008 08:46:11 Information 0 7) Selected component "CAUpdate"
09-Jan-2008 08:46:11 Information 0 8) Selected component "eTrust PestPatrol Base"
09-Jan-2008 08:46:11 Information 0 9) Selected component "eTrust PestPatrol Clean"
09-Jan-2008 08:46:11 Information 0 10) Selected component "eTrust PestPatrol Engine"
09-Jan-2008 08:46:11 Information 0 11) Selected component "eTrust PestPatrol Realtime"
09-Jan-2008 08:46:11 Information 0 12) Selected component "eTrust PestPatrol Signatures"
09-Jan-2008 08:46:11 Information 0 13) Selected component "eTrust Vet Engine"
09-Jan-2008 08:46:11 Information 0 Checking updates for "eTrust Antivirus Arclib Archive Librar...
09-Jan-2008 08:46:11 Information 0 Downloading from "SERVERNAME:42511"
09-Jan-2008 08:46:09 Information 0 The distribution program started the download process.
Show 10 Show 25 Show 50 Show All Page 1 « ‹ 1-16 of 16 › »
After working with our reseller we discovered the problem - it's not a problem with eTrust, but instead a very strange permissions issue that has happened with those PCs. What has happened is that the computer's SYSTEM account (which the eTrust services run under) doesn't have access to write to that part of the disk, despite having permissions explicitly set.
In the case of eTrust, the fix is to open up the Services control panel (Start.. Run.. services.msc), and then.
- Double-click on the eTrust ITM Job Service
- Click the Log On tab
- Change the credentials from the "Local System account" to the local Administrator account on the PC (i.e. username Administrator, password to whatever you set it to).
- Restart the service
- Either reboot the machine, or terminate the ITMDist service
- Tell the machine to download updates again.
Of course, you can also do this all remotely with the Computer Management tool and something like PSKILL (from PSTools), so you don't have to be sitting at the machine to do it.
As I said, I don't believe that this is an eTrust problem, it looks as though Windows is borked somehow, possibly an issue with SIDs or something. I have a feeling that other software misbehaves, possibly including Active Directory policies. I have no solution other than a complete rebuild, but if you're struggling to get eTrust updating properly, then I would definitely look at the user rights for the service.
Friday, 4 January 2008
CA.com compromised / Zero-day RealPlayer flaw
The ISC reports that several websites have been compromised by a zero-day vulnerability in RealPlayer. The halware is hosted or routed via uc8010.com (currently down).
Surprisingly, one of the compromised web sites (since cleaned up) is ca.com (Computer Associates), who make the eTrust anti-virus product.
A Google search for uc8010.+com site:ca.com comes up with several dozen hacked pages, mostly press releases.
A look at a cached copy of the code shows a link to n.uc8010.com/0.js (don't visit this url) which then loads the exploit.
Note that everything here is a .gif to stop virus scanners freaking out.
To be fair, a lot of sites are compromised including government bodies and large corporations. It just goes to show that there's no such thing as a "safe site" any more.
Thursday, 3 January 2008
JS/Exploit-BO false positive in McAfee
In what looks like a re-run of a recent false positive from eTrust, McAfee Anti-Virus is detecting JS/Exploit-BO in a number of innocent javascript applications, including Mootools. It's likely that McAfee is detecting the Dean Edwards Packer Tool as malware, although that's just an innocent application. Pattern 5197 has the problem, upgrading the signatures to pattern 5198 or later should fix it.
Unfortunately I guess this goes to show that packer tools can be a menace. There have been reports of this tool being used to obfuscate malware, so the smart advice to javascript developers is probably to not encode, compress or encrypt your code in any way if you want it to be trusted.
Unfortunately I guess this goes to show that packer tools can be a menace. There have been reports of this tool being used to obfuscate malware, so the smart advice to javascript developers is probably to not encode, compress or encrypt your code in any way if you want it to be trusted.
Labels:
Anti-Virus Software,
False Positive,
Viruses
Monday, 31 December 2007
Js/snz.a - likely false positive in eTrust / Vet Anti-Virus
It appears that CA's eTrust Anti-Virus product (also known as Vet Anti-Virus, often bundled with other security applications such as ZoneAlarm) is coming up with a false positive for js/snz.a for several complex javascript applications.
As far as I can tell, the javascript uses complex encoding but is not malware. These javascript elements are widely used on the web. As far as I can tell, they are not harmful in any way and this is a mis-identification by eTrust / Vet.
The signature that has the problem is 31.3.5417 dated 31/12/07
Some of the Javascript files that seem to trigger an alert are named:
If you're running Internet Explorer, then you may see an alert for an individual .js file as above, in a Mozilla-based browser (such as Seamonkey or Firefox) you may get a virus alert for a file named something similar to C:\Documents and Settings\USERNAME\Application Data\Mozilla\Profiles\Default\xxxxxxxx.SLT\CACHE\xxxxxxxxxxx
Usually, these false positives are fixed by CA pretty quickly. For most people this should just be a temporary nuisance that will be fixed with the latest virus update.
You can submit suspect files to CA here for analysis, that may well help them to fix the problem.
Follow up: this problem has now been fixed. It turns out that the javascript had been compressed using this packer tool which itself is harmless, but it does appear that the packer has been used for malicious javascript applications in the past as well as legitimate ones. Perhaps the lesson is.. don't pack or obfuscate your javascript!
As far as I can tell, the javascript uses complex encoding but is not malware. These javascript elements are widely used on the web. As far as I can tell, they are not harmful in any way and this is a mis-identification by eTrust / Vet.
The signature that has the problem is 31.3.5417 dated 31/12/07
Some of the Javascript files that seem to trigger an alert are named:
- jquery.js
- mootools.js
- ifx.js
- show_ads.js
- relevancead.js
- submodal.js
- iutil.js
- ifxslide.js
If you're running Internet Explorer, then you may see an alert for an individual .js file as above, in a Mozilla-based browser (such as Seamonkey or Firefox) you may get a virus alert for a file named something similar to C:\Documents and Settings\USERNAME\Application Data\Mozilla\Profiles\Default\xxxxxxxx.SLT\CACHE\xxxxxxxxxxx
Usually, these false positives are fixed by CA pretty quickly. For most people this should just be a temporary nuisance that will be fixed with the latest virus update.
You can submit suspect files to CA here for analysis, that may well help them to fix the problem.
Follow up: this problem has now been fixed. It turns out that the javascript had been compressed using this packer tool which itself is harmless, but it does appear that the packer has been used for malicious javascript applications in the past as well as legitimate ones. Perhaps the lesson is.. don't pack or obfuscate your javascript!
Labels:
eTrust,
False Positive,
Vet,
Viruses
Thursday, 27 December 2007
Dating Scam Sites V
Another bunch of dating scam sites, to follow on from these. Hosted on 210.14.129.25.
Sample email:
- Engineride.info
- Enginewreck.info
- Glorylandusa.info
- Glorywaychurchx.info
- Honordays.info
- Honorholes.info
- Honorministries.info
- Morninghonor.info
- Oldgloryshirts.info
- Simoldglory.info
- Usoldglory.info
- Theredglow.info
Sample email:
Hey you
I read your profile on-line a few minutes ago and you seem intresting
email me at Nikki@GloryWayChurchx.info and I will reply with a Picture and Info
about me right away
I will stay online and wait for your email
Talk to you soon
Subscribe to:
Posts (Atom)