Sat 04 July, 2009

add to del.icio.us. look up in del.icio.us.
add to furl
add to del.icio.us. look up in del.icio.us.
add to furl
When AV attacks
IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan attacked core system files, in some cases causing the machines to display the dreaded blue screen of death.…
Case Study: WhatsUp keeps Legoland turnstyles ringing
add to del.icio.us. look up in del.icio.us.
add to furl
add to del.icio.us. look up in del.icio.us.
add to furlFri 03 July, 2009

add to del.icio.us. look up in del.icio.us.
add to furl
add to del.icio.us. look up in del.icio.us.
add to furl
Blue grass county hit by Trojan-fueled cybercrime
A gang of cybercrooks has made off with $415,000 from the coffers of Bullitt County, Kentucky following the conclusion of an elaborate phishing scam, The Washington Post reports.…
add to del.icio.us. look up in del.icio.us.
add to furl
add to del.icio.us. look up in del.icio.us.
add to furl
add to del.icio.us. look up in del.icio.us.
add to furl
In this particular case the scareware front-ends ultimately leading to ChronoPay, which Germany-based Pandora Software has been abusing since 2008 under its countless number of aliases such as Meyrocorp for instance.
The scareware domains are as follows:atomscan6 .info - 38.105.19.27 - Email: donboset@gmail.com
listscan6 .com - Email: loiskiltz@gmail.com
goscanedge .com - Email: subtenda@gmail.com
goscanfine. com - Email: chirelqas@gmail.com
in6ch .com - Email: relgetn@gmail.com
goscanrich .com - Email: pathstals@gmail.com
goscanrank .com - Email: alcnafuch@gmail.com
ina6sk .com - Email: equatelepi@gmail.com
in6sk .com - Email: thomas.truby@gmail.com
goscanslim .com - Email: chinrfi@gmail.com
gowidescan .com - Email: alcnafuch@gmail.com
goedgescan .com - Email: subtenda@gmail.com
gofinescan .com - Email: alcnafuch@gmail.com
goelitescan .com - Email: funully@gmail.com
gorichscan .com - Email: pathstals@gmail.com
goslimscan .com - Email: chinrfi@gmail.com
gosoonscan .com - Email: aloxier@gmail.com
goironscan .com - Email: aloxier@gmail.com
goflexscan .com - Email: alcnafuch@gmail.com
gomanyscan .com - Email: alcnafuch@gmail.com
goscaniron .com - Email: aloxier@gmail.com
ina6co .com - Email: equatelepi@gmail.com
in6co .com - Email: thomas.truby@gmail.com
goscantop .com - Email: funully@gmail.com
ina6iq .com - Email: equatelepi@gmail.com
goscanstar .com - Email: stgeyman@gmail.com
goscanflex .com - Email: chirelqas@gmail.com
goscanmany .com - Email: chirelqas@gmail.com
scantrue6 .info - Email: jokinzer@gmail.com
scantool6 .info - Email: jokinzer@gmail.com
scanzoom6 .info - Email: jokinzer@gmail.com
litescan6 .info - Email: litescan6.info
truescan6 .info - Email: jokinzer@gmail.com
toolscan6 .info - Email: jokinzer@gmail.com
genscan6 .info - Email: imendegal@gmail.com
luxscan6 .info - Email: donboset@gmail.com
wayscan6 .info - Email: jokinzer@gmail.com
scanuser6 .info - Email: jokinzer@gmail.com
scanway6 .info - Email: jokinzer@gmail.com
scan6line .info - Email: jokinzer@gmail.com
scan6note .info - Email: jokinzer@gmail.com
scan6true .info - Email: jokinzer@gmail.com
scan6tool .info - Email: jokinzer@gmail.com
true6scan .info - Email: jokinzer@gmail.com
tool6scan .info - Email: jokinzer@gmail.com
top6scan .info - Email: jokinzer@gmail.com
user6scan .info - Email: jokinzer@gmail.com
list6scan .info - Email: jokinzer@gmail.com
way6scan .info - Email: jokinzer@gmail.com
scan6user .info - Email: jokinzer@gmail.com
scan6list .info - Email: jokinzer@gmail.com
scan6fix .info - Email: jokinzer@gmail.com
scan6way .info - Email: jokinzer@gmail.com
It's pretty obvious case demonstrating the dynamics of the underground ecosystem. A thousand bogus accounts purchased for $10 used in a bulk registration of scareware serving domains on a revenue sharing affiliate model ends up in a win-win-win situation for the cybercriminals involved in these processes. The practice is becoming rather popular not only due to their interest in less centralization of the domain control under a single email address -- cross checking reveals the entire portfolio managed under it -- but due to the availability of the service.
clean-pc-now .net - 94.75.233.162 - Email: robertsimonkroon@gmail.comfast-spyware-cleaner .org - Email: robertsimonkroon@gmail.com
spyware-scaner .com - Email: robertsimonkroon@gmail.com
scan-pc-now .com - Email: robertsimonkroon@gmail.com
free-tube-porn .biz - Email: robertsimonkroon@gmail.com
spyware-killer .biz - Email: robertsimonkroon@gmail.com
softportal-extrafiles .com - 64.20.38.172
exe-profile .com - Email: kimwerner92@yahoo.com
extrafiles-softportal .com - Email: opipkl@googlemail.com
softportal-files .com - Email: kimwerner92@yahoo.com
softportal-extrafiles .com
load-exe-soft .com - Email: kimwerner92@yahoo.com
exe-box .com - Email: normtroup@yahoo.com
hot-exe-area .net - Email: josepetie@gmail.com
spywarecomputerscanv2 .com - 69.10.59.35 - Email: huang@bark.edu.hk1live-antimalware-pro-scan .com - Email: hongkong@campusparis.org
1live-antimalware-scanner .com - Email: hongkong@campusparis.org
folderantispywarescanner .com - Email: xinhuawuhan@yahoo.com
antivirushelpscanner .com - Email: info@brandturkey.com
fastfolderscanner .com - Email: info@brandturkey.com
mycomputerscanner .com - Email: vanmullem@yahoo.com
restricteddomainhelp .com - 83.133.124.81 - Email: franklinnig@yahoo.com
msncoreupdate .com - Email: jen@parallelslive.cn
world-payment-system .com - Email: info@yashitaindian.com
liveinternetupdates .com - Email: kuzya77@freebbmail.com
onlineantivirusmarket .com Email: podbisb@hotmail.com
threats-scanner .com - 69.4.230.204 - Email: vanmullem@yahoo.comsecuritypcscanner2 .com - Email: office@actionaidinusa.org
anti-virussecurity3 .com - Email: office@actionaidinusa.org
private-online-scan .com - Email: info@kianah.org
liveantivirusproscan .com - Email: second@freebbmail.com
no1virusscan .com - Email: info@kianah.org
my-private-protection .com - Email: info@kianah.org
scanmyfolders .com - Email: info@kianah.org
scanmycomputerforvirus .com - Email: vanmullem@yahoo.com
onlinescan-ultraantivirus2009 .com - 206.53.61.76
relevantwebsearches .com
virussweeper-scanvirus .com
guardincorp .info
mainsecsys .info - Email: andrew.fbecket@gmail.com
guardsecurity .info - Email: poljaykop@gmail.com
virusalarm-scanvirus .net
best-protect .info - 174.142.113.205 - Email: chainadmin@gmail.combest-protect-av1 .info - Email: chainadmin@gmail.com
best-antivirus-pc .info - Email: chainadmin@gmail.com
best-av1-protect .info - Email: chainadmin@gmail.com
av1-protect .info - Email: chainadmin@gmail.com
av1-best-protect .info - Email: chainadmin@gmail.com
best-protect .info - Email: chainadmin@gmail.com
best-av .info - Email: chainadmin@gmail.com
pay-virusshield .cn - 64.213.140.70 - Email: unitedisystems@gmail.com
shieldinc .info
systemprotectinc .info
ironshield .info
myofficeguard .info
protectionurl .info
my-protection .info
antivirus09 .net
fast-antivirus.net
virusshieldpro .com - 64.86.16.127 - Email: unitedisystems@gmail.comprestotuneup .com - Email: hycderxvur@whoisservices.cn
virussweeper-scanvirus .com
virusmelt .com - Email: nuhuarrczq@whoisservices.cn
systemsec .info
shieldinc .info
myofficeguard .info
protect-online .info
protectionlol .info
protectionurl .info
virussweeper-scan .net
advanced-virus-remover2009 .com - 92.241.176.188 - Email: masle@masle.kz
trucount3005 .com - Email: chen.poon1732646@yahoo.com
antivirus-scan-2009 .com - Email: cheng2009@yahoo.com
antivirusxppro-2009 .com - Email: u@sochi.ru
advanced-virusremover2009 .com - Email: giogr@ua.fm
bestscanpc .com
trucountme .com - Email: valentin@gergiea.kz
vs-codec-pro .com - Email: bhtjnjhggn@googlemail.com
vscodec-pro .com - Email: cyber38462@hotmail.com
antivirus-2009-ppro .com - Email: cheng2009@yahoo.com
onlinescanxppro .com - Email: chen.poon1732646@yahoo.com
downloadavr .com - Email: gorbun@ua.fm
bestscanpc .net
activation-antivirus-software .com - 208.43.124.83 - Email: matlee@fsuk.edufxantispy .com - Email: TycoonMichael@googlemail.com
my-protection .info - 64.213.140.70 - Email: hop.davis@gmail.com
protectonline .info - 64.86.17.47 - Email: hop.davis@gmail.com
safetywwwtools .com - 209.44.126.36 - Email: martin.s.johnson@spambob.com
defenderupdates2 .com - 89.248.168.46 - Email: china@seban.se
securitytoolsdirect .com - 209.44.126.22 - Email: RuthMMarcotte@text2re.com
best-antivirus-security .com - 84.16.237.52 - Email: valentinyermolaev@gmail.com
malwaresdestructor .com - 206.53.61.74
suprotect .com - 89.149.212.218 - uuuuu@ua.fm
threatpcscanner .com - 63.223.110.177 ; 78.47.132.216 ; 78.47.172.66 - Email: vanmullem@yahoo.com
antimalwareliveproscannerv3 .com - Email: vanmullem@yahoo.com
antivirus-online-pro-scan .com - Email: vanmullem@yahoo.com
avpro-labs .com - 213.182.197.229
avprotectionstat .com - 74.50.99.236
explorerfilescan .com - 63.223.110.178; 78.47.132.221; 78.47.172.68 Email: xinhuawuhan@yahoo.com
antivirushelpscanner .com A 83.133.125.116; 69.10.59.35; 83.133.125.116 - Email: info@brandturkey.com
fastfolderscanner .com - Email: info@brandturkey.com
mycomputerscanner .com - Email: info@brandturkey.com
mal-warexls .net - 72.9.108.26 - Email: joehugardo@ya.ru
internetware-safe .com - Email: candikeller@ya.ru
scanonlinesite .info - 66.148.74.126 scanonlineblog .info
scanonlineshop .info
scanonlinenow .info
youravprotection .com - 74.50.98.162 - Email: armandgregory3@gmail.com
registerantivirus .com Email: ed.areyra@gmail.com
avprotectionstat .com
avagent-pro .com - 83.133.126.46 - Email: dwrdcardenas95@gmail.com
downloads-123 .com - Email: dwrdcardenas95@gmail.com
soft-process .com - Email: dwrdcardenas95@gmail.com
download-123 .cn - Email: dwrdcardenas95@gmail.com
actupdate .net - Email: dwrdcardenas95@gmail.com
softwaresecuredbilling .com - 209.8.45.122 - TemchenkoViktor@googlemail.com
softsales-discount .com - Email: daunrwwciq@whoisservices.cn
best-internet-payments .com - 209.8.45.148 - Email: specsupport@gmail.com
adioro .com - 213.174.152.32 - Email: xyhsbjlrl@whoisprivacyprotect.com
secure-plus-payments .com - 209.8.25.204 - Email: sparck000@mail.com
secure.pnm-software .com - 209.8.45.124 - Email: pnm-software.com@liveinternetmarketingltd.com
soft-process .com - 83.133.126.46 - Email: XtPbtP@privacypost.com
privatesecuredpayments .com - 78.46.216.238 - Email: TemchenkoViktor@googlemail.com
These payment processing gateways are sometimes front-end to the original and often legitimate payment processors. In this particular case, the the legitimate processor is Netherlands-based ChronoPay, which is known to have been used in the past by affiliates in the scareware affiliate model in the past, with several complaints for repeated credit card billing, which in reality is included in the scareware's Terms of Service.Upon a successful purchase - the customer is told that "This charge will appear on your card statement as CHRPay.com/ducforceide". Interestingly, Pandora Software has also been using the following ChronoPay accounts for over an year - Chrpay.com/meyrocorp; CHrpay.com/pnra using disconnected numbers, CallerID's of scareware operations, desperate attempts to contact the alias for the front-end payment processor, ultimately resulting in several hundred ChronoPay related complaints.
Next to scareware, ChronoPay (Pavel Vrublevsky acting as CEO) is also known to have been used in a mobile application scam dissected here, as well as being a victim of a DDoS attack in 2008, which is pretty logical since if ChronoPay is the payment processor of choice for the hundreds of thousands of scareware generated revenues on daily basis, the commissions ChronoPay takes from cybercriminals would be more than welcome in the competing payment processor's network.
Related posts:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot
A Diverse Portfolio of Fake Security Software - Part Twenty One
A Diverse Portfolio of Fake Security Software - Part Twenty
A Diverse Portfolio of Fake Security Software - Part Nineteen
A Diverse Portfolio of Fake Security Software - Part Eighteen
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
This post has been reproduced from Dancho Danchev's blog.
add to del.icio.us. look up in del.icio.us.
add to furl
¡Ay, Caramba!
Hackers have invaded the Best Buy website to plant exploit code targeted at South and central American surfers.…
add to del.icio.us. look up in del.icio.us.
add to furl
The change in policy is attributed to a furore that arose after one applicant contacted the Montana's News Station expressing concern about that particular aspect of the background check.
The city justified the login details request as just another part of an extensive background check they perform on all employees. The precautions were meant to ensure that those holding positions where they'd be handling the city's funds or operations will be reputable and honest. And presumably smart enough not to post details of any objectionable activity they might engage in online.
The Bozeman Daily Chronicle also mentioned that elected city commissioner's weren't affected by the policy, only city employees.
What's actually rather interesting to consider is that the policy has apparently been in force for about three years and according to city attorney Greg Sullivan, "No one has ever removed his or her name from consideration for a job due to the request". Rather begs the question, did they really give up their login details? Provide fake ones? Or just ignore the request?
And yes, legally, the policy does appear to be on some seriously shaky ground. Unlike some states – or countries – Montana's state constitution explicitly guarantees a citizen's right to privacy.
The request for login details was quickly removed last week. Still, it appears the city is still keen on checking applicants' online behavior, as "officials are looking at ways to alter the policy so that they might view an applicant's online information without asking for log-in codes".
On 24/06/09 At 01:53 AM
add to del.icio.us. look up in del.icio.us.
add to furl

Video is available via our Video Channel, and also the Lab's YouTube Channel.
On 30/06/09 At 11:57 AM
add to del.icio.us. look up in del.icio.us.
add to furl
Byron Acohido recently posted an excellent article on the topic.
The related posts on the business of scareware and rogues are also well worth reading.

Check them out.
On 22/06/09 At 12:29 PM
add to del.icio.us. look up in del.icio.us.
add to furl
Another recent death, Farrah Fawcett, is also making headlines.
The subjects themselves are not related to information security, but how long do you think it will take until the bad guys pick up the news as well and start using it? Usually it has taken a few days at most.
So remember, if or more likely when you start receiving e-mails on these subjects, please be extra careful when opening any links as they might be taking you in for a rough ride.
On 26/06/09 At 11:44 AM
add to del.icio.us. look up in del.icio.us.
add to furl

(picture from apple.com)
This is about as bad as it gets as the vulnerability seems to allow unsigned code to run which circumvents a core part of iPhone's security model. It's usually only able to run signed code, i.e. Apps that have been approved by Apple. No user-interaction is required which is unlike current mobile malware. InfoWorld has the original story here.
Charlie plans to reveal more information at BlackHat USA.
PS. I'm shift manager for one of our three daily response shifts this week and I'm tweeting about what we're doing on the shift over at http://twitter.com/patrikrunald.
—————
Updated to add: Dan Goodin has more at The Register.
On 02/07/09 At 06:30 PM
add to del.icio.us. look up in del.icio.us.
add to furl
Here are the privacy settings from my installation of Firefox 3.0.1.

And when I installed Firefox 3.5 the Private Browsing option was disabled. What?

Seems that the installation recognized my 3.0.1 settings as the equivalent of Private Browsing and preconfigured 3.5 to "Automatically start Firefox in a private browsing session".
Very nice work.

So, nothing changed at all. Except now I have easy options to reconfigure por… paranoi… err, Private Browsing if I opt to do so.
Time to experiment.
Signing off,
Sean
On 01/07/09 At 03:46 PM
add to del.icio.us. look up in del.icio.us.
add to furl
Last night we saw this one: a file called Michael-www.google.com.exe. This file was distributed through a site called photos-google.com and possibly also through photo-msn.org, facebook-photo.net and orkut-images.com. Do not visit these sites.
When executed, Michael-www.google.com.exe drops files called reptile.exe and winudp.exe. These are IRC bots with backdoor capability. The file also shows this fake error message:

We detect the dropper and the backdoors as Trojan.Win32.Buzus.bjyo.
On 29/06/09 At 08:36 AM
add to del.icio.us. look up in del.icio.us.
add to furl

Signature updates are now in the database channel. You can try it from here.
On 17/06/09 At 04:29 PM
add to del.icio.us. look up in del.icio.us.
add to furl
The IP address appears to be registered in Malaysia but fortunately the link doesn't seem to work.
On 01/07/09 At 02:10 AM
add to del.icio.us. look up in del.icio.us.
add to furl
Here's a short video demo via our YouTube channel.
You can download it from here.
On 18/06/09 At 01:47 PM
add to del.icio.us. look up in del.icio.us.
add to furl
From the New York Times: Web Pries Lid of Iranian Censorship.
And while the Internet is a source of information for political activists, there is also something else more questionable taking place… DDoS attacks against government servers in Iran.
A Twitter search for Iran and DDoS yields numerous results. Some folks are urging against DDoS attacks, but not in principle, rather because they might affect the bandwidth of political protesters. What are those concerned for the protesters promoting instead?
Targeted hacking.
We saw this earlier today on Twitter: "Please, use SURGICAL hacking only".
Our recommendation? No one should hack servers. It's a crime. Period.
Private citizens can participate in organized peaceful protests. Organizing surgical strikes against someone else's servers is virtual violence.
And violence begets violence.
Vigilante cyberwar is not a productive path upon which to proceed.
On 23/06/09 At 03:56 PM
add to del.icio.us. look up in del.icio.us.
add to furl
On the whole, that's good news. It would be great however to hear of similar efforts in protecting a particular commercial resource thatÂ’s definitely "critical infrastructure" – civil aviation electronic systems.
Earlier this year, the U.S. Department of Transportation released an audit report (streaming PDF here, Open rather than Save) in which it determined the national air traffic control systems administered by the Federal Aviation Administration (FAA) had significant weaknesses and vulnerabilities, potentially allowing an unauthorized party to access and control vital services and systems.
This isnÂ’t the first time the FAA has been criticized for the weaknesses in civil aviation electronic system security, with the first such criticisms coming as early as 1998.
The report cites incidences that took place in 2006, 2008 and 2009 as supporting evidence that the administrative and operational systems can be breached. The FAA contends this claim.
Not cited in the report, but of possible interest, is a 1998 incident in which a teenager successfully disabled vital airport control tower services at a regional Massachusetts airport (CNet article here).
Hopefully, with the current government enthusiasm for improving computer security, the current civil aviation systems get some attention too.
On 25/06/09 At 02:25 AM
add to del.icio.us. look up in del.icio.us.
add to furl

PC World's take is that implementation of Green Dam is only a matter of time.
Our take?
If China wants to require anti-pornography filtering software that's China's business, not ours.
But the same software on EVERY computer sold in China? That's monoculture.
And as we've noted before, monocultures are subject to catastrophic failure in the event of a successful attack.
—————
More: China's Web filtering starts in the West
On 02/07/09 At 01:22 PM
add to del.icio.us. look up in del.icio.us.
add to furl
All the documents shown below contained exploits that installed backdoors. Targets of these attacks are not known.







This is just a quick sampling; we get a lot of these.
On 03/07/09 At 09:50 AM
add to del.icio.us. look up in del.icio.us.
add to furl
Two papers for smaller businesses
Typically, vendor white papers are written with the ITDM or senior ITDM at a large company, in mind. [ITDM is industry jargon for "IT decision maker", since you ask.] People working at smaller companies are rather less well served, in quantity and quality. So today we focus our Reg Library selection on a couple of good papers aimed at small and medium-sized businesses.…
Case Study: WhatsUp keeps Legoland turnstyles ringing
add to del.icio.us. look up in del.icio.us.
add to furl
Drive-by download attack hits multiple hosts
Hackers are running a mass compromise against sites running vulnerable ColdFusion application server installations.…
add to del.icio.us. look up in del.icio.us.
add to furl
add to del.icio.us. look up in del.icio.us.
add to furl
add to del.icio.us. look up in del.icio.us.
add to furl
add to del.icio.us. look up in del.icio.us.
add to furl
add to del.icio.us. look up in del.icio.us.
add to furl
add to del.icio.us. look up in del.icio.us.
add to furl
Making a hashtag of Web 2.0 security
The Month Of Twitter Bugs has begun with the publication of a flaw in a URL shortening service often used in conjunction with the microblogging service.…
Case Study: WhatsUp keeps Legoland turnstyles ringing
add to del.icio.us. look up in del.icio.us.
add to furl
Eve Online banker does a runner
As if high-profile investment scandals and the economic downturn weren't bad enough here on Earth, now folks have to deal with it outside our galaxy. Virtually, at least.…
add to del.icio.us. look up in del.icio.us.
add to furl




