Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 30 March 2009

CyberDefender: Want your money back? Forget it!

Alas it seems Slider51 (he's the guy I mentioned previously) has learnt the hard way that not doing research on a company before using them, is a bad idea.

After spending 90 minutes on the phone to CyberDefender to get his money back, he's been told they will only refund less than half of it, as their money back guarantee apparently only covers their software (you know, the software they NEVER USED TO BEGIN WITH), and doesn't apparently support their "technical support" connecting to his computer, to fix the problem using someone else's software. How lovely.

See Slider51's full details at;

http://icrontic.com/forum/showpost.php?p=678825&postcount=17

What CyberDefender obviously fail to note, is that Slider51 is fully within his rights to contact his credit card company and ask them to do a charge back - something I am hoping he'll do, and there is bugger all CyberDefender can do about it.

Lessons to learn?

1. NEVER use CyberDefender
2. ALWAYS do research on a company before using them (little hint, if they're listed in hpHosts - avoid them like the plague they are)
3. If a program will ONLY scan for free, but requires you to pay them to fix/remove something - AVOID IT!

A lesson CyberDefender should learn however, is that whilst they continue with these extremely bad and scammy practices, there will be people like me watching them - ready to publicize it in the hopes it will prevent someone else being scammed by them.

If only CastleCops hadn't shut down, or the WayBack Machine had kept an archive of the thread on CD.



References:

Rogue company, CyberDefender, uses MBAM to clean infections
http://hphosts.blogspot.com/2009/03/rogue-company-cyberdefender-uses-mbam.html

CyberDefender: Early Deceit
http://mysteryfcm.co.uk/?mode=Articles&date=17-04-2007

CyberDefender and it’s adverts!
http://www.securitycadets.com/2007/05/cyberdefender-and-its-adverts/

Catching Conficker - a New Development

I can already hear a chorus of "Not ANOTHER Conficker blog?", but some of you will want to know about this development.

The Honeynet Project has announced a new scanning tool for detecting Conficker, which gives network and system administrators a very handy extra tool for detecting Conficker activity on their networks.

Furthermore, the tool is currently being integrated into mainstream vulnerability scanners like nmap, nessus, and products from ncircle, Qualys and Foundstone. It detects all current variants of Conficker by flagging changes they make to NetpwPathCanonicalize(). No doubt Conficker’s authors are already working on this loophole, but in the meantime, the new routines should seriously mitigate the worm’s impact on corporate networks.

Kudos to Honeynet’s Tillmann Werner and Felix Leder, whose forthcoming "Know your enemy" paper will give a lot more information on the worm and on the new tool, and to Dan Kaminsky, Rich Mogull, and the Conficker Working Group for all their work on this.


http://www.eset.com/threat-center/blog/?p=888

Black Hat SEO and Rogue Antivirus p.3

AntivirusPlus ZlKon Malware drop - liveinternetmarketingltd.com

READ THIS page if you need more information

In addition to fake scanner domain, recent research also reveal that several sites are registered through "EVOPLUS LTD" with the information as follow:


Looking on google show absolutely no web presence apart from malware and pornography websites:

For "liveinternetmarketingltd": Malware domain drop and pornography websites
For "Live Internet Marketing Limited": Pornography websites
For "liveinternetmarketingltd.com": Pornography websites and malware domain found by Malware Domain List.

Looking on malwaredomainlist show 23 sites with the registrant information "liveinternetmarketingltd.com".


http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus-p3.html

Sunday, 29 March 2009

Rogue company, CyberDefender, uses MBAM to clean infections

I've just found out about this and must say, it doesn't surprise me in the least.

I've written previously about CyberDefender, and looking at what this guy went through after falling for their scam to the tune of $249.99 (approx £150), they've not changed one bit - they're still rogue.

The actual Cyber Defender software was never activated until after the trojan was removed....the tech did not use the CD product at all, watching the remote fix taking place, he used MalwareBytes, Trojan Remover, and Super Anti-Spyware, as well as other packages, installing them and then uninstalling them as he went. Makes me wonder if Cyber-Defender actually had any capabilities with this trojan at all....


http://icrontic.com/forum/showthread.php?p=678333#post678333

Hat tip to Tom for the heads up

RBN Domains Fleeing HostFresh

After receiving information that the RBN malware bastion, HostFresh (aut-num: AS23898 as-name: HOSTFRESH-AS-AP), was in the process of being depeered, I decided to track fleeing malware domains.

During the takedowns of Atrivo, McColo and UkrTelegroup, we observed domains being migrated to other IP ranges, as the owners sought to keep their criminal enterprises alive.

As of Sunday morning 29 March 2009, 61% of the 18 malware domains that I sampled had been migrated:


Read more
http://securehomenetwork.blogspot.com/2009/03/rbn-domains-fleeing-hostfresh.html

Black Hat SEO and Rogue Antivirus p2

The World Wide Web Consortium and Rogue AV


Having your website hacked with IFRAME injected, trojans/backdoors?

Having your pages infected with redirection to rogue antivirus/antispyware?

Having your pages replaced with World Wide Web Consortium article and some
obfuscated javascript code append to them?

This page will show you some recent research about a malware campaign which has infected thousand of websites. In this campain all of these sites have been used to distribute fake antispyware called WinWebSec or FakeSpyGuard.(Sometimes called WinWebSecurity or SystemSecurity2009 with InternetAntivirusPro)

Since July/August 2008 hundreds of thousands of pages on legitimate domains were exploited having web pages stuffed with keywords (porn, celebrities, popular snacks) uploaded to them as a means of attracting victims via search engine results. In some cases, the homepage of the compromised site is being modified, appending hidden links to the malicious web page.


Read more
http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus-p2.html

Black Hat SEO - PDF Malware campaign

Previously in March, Abode has released some security updates addressed to
vulnerabilities and exploits using Adobe Reader. Some links can be found below

McAfee Avert Labs: New Backdoor Attacks using PDF Documents
Trend Micro Malware Blog: Portable Document Format or Portable Malware Format?
SANS Internet Storm Center: Adobe/Acrobat 0-day in the wild?

Adobe Security Bulletin: Buffer overflow issue

Here is a complete example with sreenshots, data and analysis of a website
used in the PDF malware campaign and hosting a malicious application called SUTRA.

The application also known as "Traffic Management System" is explained by
McAfee AvertLabs on this page: Inside the malicious traffic


Read more
http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-pdf-malware-campaign.html

Saturday, 28 March 2009

Adobe9.0-PDF.com + Computer Solutions Group + 208.118.54.* + Xtreme Software Ltd + Saudi Arabia = Phishing and fraud network

I've already documented phishing and fraud on the RapidSwitch network. Now Dynamoo has pointed me to a new one - Computer Solutions Group/Alchemy Communications, Inc. So far, we've identified around 54 domains running on this IP block, that are running phishing and fraud scams, similar to those run by RapidSwitch and their customers.

Full details can be found on the Dynamoo blog;

http://www.dynamoo.com/blog/labels/Adobe.html

Hat tip to SysAdMini (MDL) for the heads up.

References:
http://hosts-file.net/?s=208.118.54.244&view=history
http://hosts-file.net/?s=208.118.54.247&view=history

Conficker Removal

My friend David at Eset has some info and a removal tool, for those of you still wondering how to remove Conficker;

http://www.eset.com/threat-center/blog/?p=865

Worth reading even if your not as the removal tool will tell you if it's actually infected, and he links to the respective MS patches to prevent it.

Full Circle Magazine: Issue 23

The moment you've all been waiting for...

We’ve got a whole lot of Full Circle goodness for you in this issue! Plus, one more month to our two year anniversary! Can you believe it?

This month:

* Command and Conquer - Troubleshooting.
* How-To : Program in C - Part 7, Web Development - Part 4, and Spreading Ubuntu - Part 2.
* My Story - Becoming An Ubuntu User
* Book Review - How To Be A Geek Goddess
* MOTU Interview - Steve Stalcup
* Top 5 - Task Managers
* PLUS: all the usual goodness…

Read More
http://fullcirclemagazine.org/2009/03/28/issue-23-released/

Get it while it's hot!
http://fullcirclemagazine.org/issue-23/

Issues 0 - Current
http://fullcirclemagazine.org/downloads/

Forums:
http://ubuntuforums.org/forumdisplay.php?f=270

Wiki:
http://wiki.ubuntu.com/UbuntuMagazine

Spambot Search Tool v0.26

Version: 0.26

* Modified StopForumSpam query to allow for newly introduced query limit

http://www.stopforumspam.com/forum/t573-Rate-Limiting

* Modified Spamhaus query when using the web interface (CBL and PBL are still shown, but not flagged as spammer)
* Default config.php renamed to config.sample.php to allow for easier upgrade
* Default counter.php renamed to counter.sample.php to allow for easier upgrade
* Updated installation notes

http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

ClamWin - another F/P - UniExtract.exe: Worm.Autoit-37

Yep folks, it seems ClamWin has gotten another F/P. This time in the form of Universal Extractor;

UniExtract.exe: Worm.Autoit-37

Friday, 27 March 2009

StopForumSpam to introduce limit on API queries

Russ has announced a limit is to be introduced (around 1000 apparently) on how often you can query the SFS database. Sadly this is going to affect those using the Spambot Search Tool so I'll release an update soon to allow for this.

In the meantime, details can be found at;

http://www.stopforumspam.com/forum/t573-Rate-Limiting

Black Hat SEO and Rogue Antivirus

Since several months ago, massive attacks (obfuscated javascript inserted - IFRAME to inject backdoors/keyloggers), hacked websites used to distribute rogue antivirus into thousand of websites have been detected by major antivirus vendors, cyber intelligence labs and other security companies.

The exponential growth of rogue antivirus distribute through legitimate websites remain silent as the tactic used by the creators continued to become more sophisticated.


Read more
http://malware-web-threats.blogspot.com/2009/03/black-hat-seo-and-rogue-antivirus.html

Malicious SMS sending victims to persdata7.com

I've been advised by Holger at Malware Domain List, that a malicious SMS message is doing the rounds, pointing victims to persdata7.com with the following SMS message (and variations thereof);

someone posted your full personal and banking information at hxxp://persdata7.com website you must remove it now


I'm trying to find out which number is sending these so I can get in touch with their provider, and am trying to get in touch with Global Net Access, LLC, who actually host persdata7.com.

persdata7.com currently infects victims with the Ambler trojan (naughty naughty). If you receive one of these SMS messages, DELETE IT - DO NOT VISIT THE WEBSITE.

/update 16:50

I've spoken some more to Holger and the number that was sending the text messages was;

+380672132627

persdata7.com has now also been suspended.

/update 20:30

I've been doing some research, and from what I can find, +38 is an Albanian mobile phone, possibly provided by AMC (Albanian Mobile Communications). I'm trying to get in touch with them to get this verified (if it does not belong to them, they will hopefully point me in the direction of the correct provider).

/update 20:50

Holger has advised me that +380 is actually the Ukraine .... (why the sites I looked at didn't mention that is beyond me).

References:

Malware Domain List - persdata7.com
http://www.malwaredomainlist.com/forums/index.php?topic=2639.0

Internet Storm Center - There is some SMiShing going on in the EU
http://isc.sans.org/diary.html?storyid=6076

Money Saving Expert - Text message scam
http://forums.moneysavingexpert.com/showthread.html?t=1588413

Thursday, 26 March 2009

supportonclick.com scamming you by telephone!

I am posting this as a warning concerning a scam currently doing the rounds, that unfortunately, risks tarnishing the good name of Malwarebytes.

The scam, documented here, warns of scammers phoning you up, claiming to be calling from or on behalf of, Malwarebytes and telling you your computer is running slow etc, in an effort to get you to purchase "malware protection".

The user that reported this, mentioned the numbers they gave two contact numbers;

781-452-0714 (Massachusetts)
347-289-3770 (New York)

Whether these were the numbers they called from, is not known. Reports on 800notes.com show this dating as far back as December for the 347 number, and February for the 781 number.

In all cases reported, the company doing the scamming, is supportonclick.com, registered to Pecon Software Ltd in India. The numbers they provide on their website are;

347 289 3770 (USA)
212 796 0581 (USA)
646 884 9561 (USA)
647 722 8426(Canada)
01274 - 900 834(UK)
01274 - 449 373(UK)
2801 475 93(Australia)
7312 351 48(Australia)

Sadly, there seem to be alot of people falling for this, so in an effort to help prevent this, I'd like to make a few things clear;

1. These scammers are NOT from or related to, Malwarebytes

Malwarebytes are aware that these scammers are doing the rounds, and are in touch with their lawyers concerning this matter. The affiliate they found to be related, has had their account terminated, and any further affiliates found to be involved in this, will also be terminated.

2. Malwarebytes will NEVER contact you, by phone, e-mail or otherwise, unless YOU contact them FIRST! (and even then, they will NOT call you by phone)

3. When they mention your computer is running slow, ask yourself - how do they know? They aren't sitting in front of your computer. This is the first clue that these are scammers.

If you are called by these people, either put the phone down immediately and report the call to your phone company, or record the call (DO NOT GIVE THEM ANY CREDIT CARD OR OTHER SUCH DETAILS!) and pass it to the phone company and the police.

If you've got any questions concerning this, please contact Malwarebytes;

http://malwarebytes.org

Malwarebytes Forums
http://www.malwarebytes.org/forums/

/update 28-03-2009

I found another number they're using whilst doing some research;

212-796-4064
http://800notes.com/Phone.aspx/1-212-796-4064/4

/update 28-03-2009 #2

Thanks to "The H Security", I've added a reference below to a warning from Staffordshire County Council concerning this matter.

For those wondering who to report this to, it should be reported to Trading Standards and to SupportOnClick's hosting company (Hyderabad Network Operations/Net4India Ltd), and of course, to the police as this is fraud. Those in the UK may also want to report this to BBC's WatchDog ;)

/edit 11-04-2009

Good news folks, this story has been picked up by the folks at El Reg! (perhaps this now means, the negative publicity will force someone with authority, to take action against supportonclick.com and their ilk)

Scareware scammers adopt cold call tactics
http://www.theregister.co.uk/2009/04/10/supportonclick_scareware_scam/



Reference:

New scam - They call you by phone!
http://www.malwarebytes.org/forums/index.php?showtopic=11156

Staffordshire Council - Telephone computer support warning (PDF)
http://www.staffordshire.gov.uk/NR/rdonlyres/6997DBB0-E31E-4AFB-A886-C9DDEE114204/90090/TelephoneComputerSupportWarning.pdf

Tuesday, 24 March 2009

Spambot Search Tool v0.25

+ Added DroneBL lookup (dronebl.org)
+ Added extra error handling to CreateDatabase() function
* Modified CreateDatabase() function (will now try to create tables even if the DB already exists)

Ref: http://www.stopforumspam.com/forum/p3640-Yesterday-8%3A34#p3640

* Fixed error in LogSpammerToDB() function

Ref: http://www.stopforumspam.com/forum/p3646-Yesterday-12%3A00#p3646

* Improved W3C HTML validation
* Changed $BaseMatch default value to "" (so it works as it did prior to selective matching being added)

Download:
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Saturday, 21 March 2009

Fighting CyberCrime: It's time for a little thanks!

Over the years, I've "worked" either directly or indirectly, with a multitude of companies, to help shut down those involved in cybercrime, using said companies services.

I don't think I've ever taken the time to document them before, with the exception of a quick mention of Magrathea last year, so am doing so now, as a thank you for being extremely helpful and extremely quick, to shut down the criminals.

Magrathea Telecom

Magrathea Telecom offer a number of services, the main one that I see abused, is telephone routing. This involves the use of an 070 number (Ref: Personal Numbers), that the scammer then inserts into phishing scams such as the following, received a few minutes ago;

Dear Winner,

The BMW Automobile Company, Congratulate you as one of our Ten(10)Star Prize Winner. You won (£750,000.00 GBP) Seven hundred and fifty thousand Great British Pounds and a new BMW 2009 X6 xDrive 35 Car The BMW (IAP) held on 21 March 2009, in London. Contact him with: Full name/Contact address/Sex/Tel/Occupation/Age/Country.

Mr.Louis Moore,
E-mail:bmwclaimsunit@hotmail.com
Phone: +44 7024019869
Fax ;+44 7005-964-94

Regards
Mrs Kate Williams.


Magrathea have helped me to shut down a whole slew of these guys, so deserve a huge thanks!

Lycos

Whilst certainly not the quickest to respond, Lycos have been immensley helpful in helping me shut down those abusing their services to infect the unwary and/or to store data stolen by keyloggers.

Though it should be noted, because the stolen data typically includes usernames, passwords, bank details etc and other information, I no longer try and have these shut down. Instead the details are forwarded to law enforcement as the stolen data is useful for them in both gathering evidence, and informing the victims that their data has been stolen.

Dynamic Network Services, Inc. (aka DynDNS)

Alas having a dynamic IP isn't enough to stop a crapware author or scammer. All they need to do is setup a hostname that will redirect to whatever their current IP happens to be. DynDNS is a company that provides such a service.

Thankfully however, DynDNS have also been extremely helpful, and quick to respond, to help shut down these idiots.

The most recent of which, was an IP that was used to host scripts that were then used to attack other services via an RFI attempt. DynDNS had this one shut down within a matter of hours of receiving my report.

Freehostia

Freehostia is a hosting company that provides both free and paid, web hosting. Sadly, free services are all too often abused for malicious purposed. Most companies I've dealt with that provide such, either take their time to take such down, or simply don't bother at all (I'm looking at you Google!). Thankfully the same cannot be said for Freehostia, who have very quickly shut down the accounts of those I've reported.

WordPress

WordPress is a very popular company that provides free hosted blogs. Again, free services are all too often abused as they are usually quick to setup, don't cost anything, and can be re-created in seconds.

WordPress however, have been immensley helpful in shutting down those that are abusing it's services - the same alas, cannot be said for it's competitor (yep, I'm looking at you again Google!)

Microsoft

We all know Microsoft, so I'll save going into their offerings. Some hate them, some love them, others couldn't care either way.

However, millions use their free e-mail services - and this is why they are listed here. When I've come across and reported, compromised Hotmail/Live/MSN accounts, Microsoft have been extremely quick to help get the accounts secured again. If only Yahoo were the same ....

Internet Storm Center (aka ISC)

I would like to extend a special thank you to the ladies and gents at the ISC, who have helped on alot more than one occasion, to either secure compromised e-mail accounts, compromised profiles on social networking sites such as Facebook, and a multitude of other things over the years - you've been great guys!

The above is by no means a complete listing, and my apologies to those companies and individuals that are not listed here (my memory isn't what it used to be), but I'd like to offer all a huge thank you for helping to make the interweb safer.

Thursday, 19 March 2009

FileFix Pro 2009: Ransomware makes a comeback

Scareware in the form of Rogue AntiVirus software, such as XpAntiVirus2009, have long been a way to monetize infected computers. Previously, the Rogue AVs would present you with screens that listed malware you didn't have, and for a nominal fee, you could buy the full version and clean the "infections".

Over the past couple days, Vundo has been pushing a piece of malware that encrypts various personal file types (.pdf, .doc, .jpg, etc) on your system, and "coincidentally" pushes, a program called FileFix Pro 2009 which would decrypt them - for a fee. Although we (Julia) broke the encryption, it's a sobering realization of the state of malware that it is now actively extorting users by holding their data ransom. Despite this version of FileFix being trivial to crack, it does not bode well for the future of Internet malware.

Vundo has fundamentally altered its criminal business model from "Scareware" tactics to "Ransomware" extortion. While a user may be "silly" to buy into scareware, they have little choice but to purchase the decryption software once the ransomware does its thing.


Read more
http://blog.fireeye.com/research/2009/03/a-new-method-to-monetize-scareware.html

Final Release of Internet Explorer 8 Now Available

Today on Day 2 of MIX09, Internet Explorer General Manager Dean Hachamovitch during his keynote this morning in Las Vegas announced the availability of the final release of Internet Explorer 8 to download and install on their PCs.

Click here to download Internet Explorer 8!

Internet Explorer 8 is available for the following Windows releases: Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Server 2008, and Windows Vista (RTM), SP1 and SP2.

With Internet Explorer 8, common tasks on the Web are faster and easier. I’d like to take a moment and highlight how I am using Internet Explorer 8 today to quickly accomplish tasks that important to me. It all starts with my favorite Internet Explorer 8 feature – the Favorites Bar. The Favorites Bar in Internet Explorer 8 gives people quick access to information such as their top favorites and Web Slices.


Read more!
http://windowsteamblog.com/blogs/windowsexperience/archive/2009/03/19/final-release-of-internet-explorer-8-now-available.aspx

Wednesday, 18 March 2009

Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari

A security researcher named “Nils” (he declined to provide his full name) performed a clean drive-by download attack against the world’s most widely used browser to take full control of a Sony Vaio machine running Windows 7.

He won a cash prize and got to keep the hardware. Details of the vulnerability, which was described by contest sponsor TippingPoint ZDI as a “brilliant IE8 bug!” are being kept under wraps.


Read more
http://blogs.zdnet.com/security/?p=2934

Sunday, 15 March 2009

Introducing WinPatrol 2009

Bill Pytlovany has done it yet again. Somehow he has made a great program even better by adding even more helpful features to WinPatrol. Although WinPatrol 2009 is compatible with all Microsoft operating systems, it was specifically designed to work with Windows 7.

WinPatrol is free for personal use and WinPatrol PLUS is available for a one-time $29.95 charge.

Following is a description of the additions to WinPatrol 2009.


Read the full article
http://securitygarden.blogspot.com/2009/03/introducing-winpatrol-2009.html

Download WinPatrol 2009!
http://www.winpatrol.com/download.html

Waledac Theme - Reuters: Terror Attack

Looks like the Waledac Authors wore the Couponizer theme out, and have now switched to a new headline "Terror Attack" theme. Headline News themes are nothing new to botnets like Waledac, as the Storm Worm used them a few times with fairly decent infection rates. Another note of interest with this attack is the continued usage of GeoIP data to customize the news article for visitors. I utilized several web proxies and the Waledac GeoIP database seems to provide extremely accurate IP to Location results. Take a look at a screen grab I took while I was utilizing a Woodstock web proxy.


Read the full article
http://www.sudosecure.net/archives/508

Thursday, 12 March 2009

Eset Smart Security 4: A first look

Eset Smart Security version 4 was released yesterday, and thanks to my friend at Eset, I've been given a licence so I can review it.

I'm happy to say, so far I'm very impressed. The installation was smooth, and after a re-boot (wasn't required but I did it anyway), and a little customization of the settings, it's up and running quite nicely with very little slow down of the system.

Those of you with a DVD writer will be even more pleased with ESS 4 due to one of the new tools it includes, Eset SysRescue, that allows you to create a rescue CD/DVD/USB, should your system either become unbootable, or prevent the loading of ESS, due to infection.


One of the other nice new features, is the SysInspector, also available to download seperately here. This facility allows you to create a snapshot of the system periodically for as the name suggests, inspection. You can read more detailed information on the SysInspector at;

http://www.eset.com/download/sysinspector.php

I'll be running this for a few months or so to see how it performs, especially where detections are concerned, and will post back with a review.

MDL needs YOU!

Fancy yourself as a graphics artist? Maybe just a novice that likes creating icons? Either way, Malware Domain List needs your help.

MDL has put out a request for a new favicon. If you fancy creating a few, please feel free to submit them to the MDL forums at;

malwaredomainlist.com/forums

There's no competition here, no prizes to win - just the knowledge that you're helping out a security forum :o)

aida32.bin: ClamWin made a boo boo again

I said last time that ClamWin doesn't often make mistakes, but they seem to have done so again. This time, flagging Aida32's .bin file as Trojan.Agent-81497. Alas this is an F/P, Aida32 is completely safe, always has been.

I've reported it as an F/P via backrooms as attempts to do so via their F/P reporting form at clamav.net, resulted in their form rejecting my submission due to ClamAV already detecting the file (Doh!, that's why I was reporting it :o( ).

If you're using Aida32 and ClamWin on the same machine, ensure you've told ClamWin to ignore the Aida32 directory, or at the very least (and more recommended as ignoring directories/files leaves your system more at risk), have it ONLY report what it finds, and not remove/quarantine them, otherwise you'll find Aida32 isn't going to run.

Wednesday, 11 March 2009

Spambot Search Tool v0.24 Released

v0.24 12-03-09

Changes:

+ Added extra match options for $BaseMatch var (you can now use multiple match selections without manually editing the switch codes)
* Fixed counter increments when check_spammers_plain.php is queried, regardless of whether or $spambot = true
* Moved counter control to IncreaseCatchCount() function to save code duplication
* Moved text file controls (for logging spammers) to LogSpammerToFile function to save code duplication
* Username passed is now wrapped in htmlentities() and urlencode() for additional security (albeit not much)
+ Added optional logging to MySQL database (created automagically if it doesn't exist). To enable this, see config.php

Download:
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Tuesday, 10 March 2009

hpHOSTS - UPDATED March 10th, 2009

hpHOSTS - UPDATED March 10th, 2009

The hpHOSTS Hosts file has been updated. There is now a total of 57,810 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 10/03/2009 15:33
  2. Last Verified: 10/03/2009 14:30

Download hpHosts now!
http://hosts-file.net/?s=Download

Sunday, 8 March 2009

Bad Actors Part 6 - Eurohost LLC (aka UralNet?)

A funny thing happened after I posted my last article - the UralNet IP block was removed from the global routing table. I didn't see any notifications in the press or on any network operations lists (although I am not on any RIPE-specific listservs), so my suspicion is that they are simply lying low for a bit. I assume that if they had their plug forcibly pulled then the responsible party would want to be recognized (rightfully) for taking a step against cyber-crime in the region.

Another reason why I believe they are lying low is that an AS that had been dormant (unrouted) for months came back online this week and immediately started hosting much of the malware that used to be on UralNet. They've only been back a week, have a mere /24 (256 IPs), don't have a corporate homepage, and yet, already have quite a few criminal customers.


Read the full article
http://blog.fireeye.com/research/2009/03/bad-actors-part-6-eurohost-llc.html

Symantec - we knew they weren't trustworthy, but this is a new low

Symantec have never been a company I've recommended for security products - ever. Infact, the only product I've ever recommend is Ghost (and even then, there are now free alternatives courtesy of Linux), but the latest development shows Symantec have entered a new phase - one which shows a complete disregard not only for their competitors (yeah, not really surprising), but also for their customers. One which shows they have no right to chase people down for disregarding their licencing terms, when they are more than willing to disregard licencing terms for other programs.

Alas this is not all however. I've mentioned before about their including malware (in the form of Ask (aka IAC) products) in Norton 360 - now they're including this rubbish in their other programs - something completely unforgivable.

I'll save ranting anymore, and just let you read the following instead.

http://securitygarden.blogspot.com/2009/03/recommendation-replace-norton.html

http://msmvps.com/blogs/donna/archive/2009/03/07/symantec-pushed-ask-to-norton-internet-security-and-norton-antivirus-customers.aspx

Our recommendation? GET RID OF ALL SYMANTEC PRODUCTS!

Friday, 6 March 2009

hpHosts Forums

Just a note folks. I know the hpHosts forums have been offline since the beginning of November 2008. Unfortunately I've not had the time to go through the phpBB code and upgrade it to conform with the latest release, and add my own security additions (don't want to start the forums from scratch again unless I have to).

I am hoping to have some time within the next 4-8 weeks to work on them, and should hopefully have the forums back online with 2-3 month.

In the meantime, you can still send me additions/updates/removal requests, via the Contact Form provided.

Kidimbo Grace, hard drives and a bad cheque

My friend Jonathan at Wrightway Computers recently had an interesting order from Uganda (no stores locally huh?), for 80 hard drives. Needless to say he had a bit of fun with them, especially when it was instantly noticable that it was a scam.

The covering letter they sent with the cheque should make it instantly clear to everyone;



To be honest, this comes as absolutely no surprise, bad cheque and all, as it's rather typical of the 419'ers to try and scam as much as they can, without getting noticed. Alas their Ugandan counterparts are a little less savvy, so are even easier to spot.

He doesn't have the original cheque anymore as the bank obviously wanted to keep that for investigation. They did however, give him a photocopy;



The e-mail addresses they used to contact him are;

payments@fsmail.net
kidimbograce@gmail.com

He did send them the following (amongst others), asking for proof of identity in the form of a video clip, but disappointingly, they never sent one, instead opting to stop dealing with him and "Just faxed the copy to bank not to cash it" (how nice).

Hi Grace
Thanks for the reply, I now have your address.

We do have 2.5” USB Drives in stock both 160GB @ £36.82 and 320GB @ £57.31 This is a special discount price as you are now a returning customer. We have just received a delivery of these items direct from the manufacturer and we are looking to move them quite quickly. If you are interested we have 200 of each item you can order them all or just a few.

Send payment as before if you like.

I still haven’t had a chance to go to the bank with your cheque and I really need that photo to verify your credentials, if you send me a video clip of you with a bowl of fruit on your head while dancing to the Macarena I will know it is from you.

Kind regards

Jonathan Wright


Alas poor Kidimbo didn't know what he meant, and was perplexed to have been asked for a video clip (claimed he/she had tried sending one but it hadn't worked), so my good friend Jonathan, being the helpful fellow he is, sent them the following to clarify;

Hi grace

I hope you enjoyed your time out of the office, it is nice to be able to spend your time out and about. When I get out I like to go diving up around the Scottish isles just off the coast of Muff. I also enjoy Haggis hunting, they are tricky little devils to catch with there odd size legs they can run round the hills quite quickly.

I should be able to bank your kind cheque by the middle of next week.

I realise the video clip is a strange request but my business partner Steven is demanding you send it. (his real name is actually Mr Ivor Biggin but he likes to be called Steven, well apart from Saturday nights of when he likes to be called Shirly) I am sure you understand and you will send the video clip very soon.

We are looking forward to do more business very soon.

Regards
Jonathan Wright


I must admit, I've had my share of fun with scammers, but this particularly ticked me. Excellent work Jonathan, and a good lesson to the rest of you, especially on how to spot them (and of course, which of their e-mail addresses to avoid ;o)).

PDF Vulnerability Now Exploitable With No Clicking

Sometimes a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents, I took the time to produce a short video showing 3 ways the vulnerability can trigger without even opening the PDF document.

The first 2 demos use a “classic” /JBIG2Decode PDF exploit, the third demo uses a new PoC /JBIG2Decode PDF exploit I developed. This PDF document has a malformed /JBIG2Decode stream object in the metadata instead of the page. All PDF documents used have just a malformed /JBIG2Decode stream object, they don’t include a payload (shellcode), neither a JavaScript heap spray.


Read more
http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/

Kudos to Celtic Ferret @ CoU for the heads up

Tuesday, 3 March 2009

Yipee, more e-mail problems

Just a note folks, it seems I've got sporadic problems with people sending me e-mails that are not getting through. I'm going to get in touch with my provider to find out whats causing it, but in the meantime, if you've sent me an e-mail and I've not responded, or send me an e-mail in future and I don't respond in 48 hours, it's not because I've ignored you - it's likely I've not received your e-mail, in which case, I can be contacted via the TeMerc forums at;

http://temerc.com/forums

Monday, 2 March 2009

PCWorld "reviewer" has their turn at talking bollocks

We all know we can't trust the bad guys, but it seems over the past few years, there's more and more so-called good guys you can't trust either - now including PCWorld who, instead of providing unbiased reviews, decide to falsify results to peddle their advertising partner (Symantec, surprise surprise), instead of allowing their users to have unbiased facts.

When are these idiots going to learn, they are supposed to be providing services/software based on their USERS NEEDS, and not based on earning a fast buck.

and now, PCWorld joins the ranks:
http://www.pcworld.com/reviews/product/44056/review/premium_security_suite_82.html

they vote their advertising partner, Symantec, top place. Avira did better overall, so they lower Avira's score based on a "poor" interface including -- hang on, folks! -- Avira is the only one of the eight tested software suites without the convenience of (groan) A TOOLBAR! Now Joe Plumber knows exactly what to look for in his security software's interface!

What irks me tremendously is that in their zeal to sell Norton by discouraging people from considering Avira, they erroneously state that the only support available for Avira is by emailing Germany & waiting for a response. So let me inform everyone that Avira maintains a very active and responsive forum IN ENGLISH. In fact, when I trialed Avira's Antivir Premium, I was so impressed by the level of support that I received at the forum, as well as with the antivirus software itself, that I purchased a license.


Read more
http://www.calendarofupdates.com/updates/index.php?showtopic=16253&st=50&#entry75363

Sunday, 1 March 2009

Scams Target You - Protect Yourself

It’s Fraud Awareness Week here until the 9th of March, so plenty is going on in regards to helping people educate themselves, and report scams to protect others.

ScamWatch New Zealand has provided some useful examples of people being scammed which is always worth reading.

If you aren’t much of a reader, here’s the short version.

There are no guaranteed get-rich-quick schemes – the only people who get rich are the scammers.
  1. DON’T respond to offers, deals or requests for your details. Stop. Take time to independently check the offer.
  2. NEVER send money or give credit card, account or other personal details to anyone who makes unsolicited offers or requests for information.
  3. DON’T rely on glowing testimonials: find solid evidence from independent sources (not those provided with the offer).
  4. NEVER respond to out of the blue requests for your personal details.
  5. ALWAYS type in the address of a website of a bank, business or authority in which you are interested - it’s safer.
  6. NEVER click on a link provided in an unsolicited email as it will probably lead to a fake website designed to trap you.
  7. NEVER use phone numbers provided with unsolicited requests or offers as they probably connect you to fakes who will try to trap you with lies.
  8. ALWAYS look up phone numbers in an independent directory when you wish to check if a request or offer is genuine.

And if you want some further advice, here’s what I would add.


Read the full article
http://www.firetrust.com/en/blog/chris/scams-target-you

... and remember, just because you aren't in New Zealand, doesn't mean this does not apply to YOU!