Monthly Archives: March 2010

’30 Rock’ Phrase ‘Circulus et Pruna’ Draws Fakealerts

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Liz Lemon should be livid. Jack would be damned angry…in a quiet, repressed sort of way.

The rogue antivirus goons have taken on 30 Rock, the NBC meta-sitcom about the internal workings of a sketch comedy show.

In a subplot from last week’s episode (which I will recap for those who may have missed it), Alec Baldwin’s character teams up with one of the writing team to prank the rest of the writers. The two form a secret society named the Silver Panthers, and when the prank is successfully sprung on the unsuspecting writers, Baldwin’s character Jack begins to walk out of the room, but pauses, turns back to the victims, and ominously utters the (we assume) Silver Panther motto: “Circulus et Pruna.”

Latin scholars (who, I’m sure, are all ardent 30 Rock fans) probably chuckled when they heard Baldwin’s character utter the nonsense phrase “circle and (burning) charcoal (ember).” Or is it circle and plum? Meanwhile, the rest of us were left scratching our heads and wondering what the hell does that mean?

And so, turning to the font of all worldly knowledge, many Googled the phrase and may have been surprised to find that not one, not a few, but every search result on the first page (and most of the second page of results) led to a Fakealert trap that tries to force victims into downloading and running the installer for a Rogue Antivirus product.

The scoundrels.

It’s actually kind of an astonishing feat, as well as a horrific example of the current state of search results. When you consider that few, if any, outside Tina Fey’s production team had heard the phrase Circulus et Pruna uttered prior to last Thursday night at 9:30 (8:30 central), one has to wonder how the purveyors of these rogue antivirus products managed to wrest such total control of a nonsense Latin phrase from the world’s largest and (in theory) most comprehensive Internet search engine — mere moments after those words were spoken on television.
Continue reading

Social Nets Put Your Privacy at Risk

Posted on by

By Mike Kronenberg

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Attention Facebook and Twitter users: You’re still at risk. Last year, our survey found that lots of people using social networking sites were taking the risk of financial loss, identity theft, and malware infection. Have things gotten any better? Well, the answer is yes but, unfortunately, not better enough — and potentially a lot worse for some of you.

The results of our 2010 survey reveals that more of you are adhering to some safe behaviors — like blocking profiles from being visible through public search engines. That’s a good thing, but the downside is over 25 percent of you haven’t changed your default privacy settings. And more that three quarters of survey respondents haven’t placed any restrictions on who can see their recent activity.

I worry about this because you can’t escape the fact that rogue operators are always trying to extract details about you. They want access to anything that can help them dig into your private life. They can break into Web mail accounts, get your credit card number, steal your identity, or even attack you through cyber-stalking.

And they’ll do anything to get the info, from attacking you with malware to tricking you into revealing passwords.

With that, and our survey in mind, on the following page I’ve posted a few suggestions you can follow to protect yourself.

Continue reading

Pushu Variant Spams Hotmail, Cracks Audio Captchas

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

A new version of Trojan-Pushu is doing some interesting stuff to bypass captchas used by Microsoft’s Hotmail/Live.com/MSN webmail services in order to spam people with links to malicious Yahoo Groups pages.

The three-year-old spy (known by a variety of other aliases, including Cutwail, Pushdo, Diehard, and Rabbit) has always been, primarily, a spam bot. In this case, however, the spy is not sending spam by connecting to open mail relays or more traditional means; It’s spamming through the Hotmail/Live.com Web mail interface. Most interestingly, during the course of the spam sessions, the spy apparently pulls down “audio captchas” and successfully sends back the correct response, which permits it to continue spamming.

Audio captchas are just what they sound like they are: A voice, often female, reads a sequence of 10 numbers in an artificially noisy background. The purpose is simple: to ensure that a human being, and not some automated process, is entering data into a form. Just as you would type in the scrambled-up letters from a captcha image to proceed, with an audio captcha you have to type the correct numbers from the recording, or the site won’t let you continue.

That doesn’t seem to be a problem for this Pushu variant. We’ve seen Trojans attempt to crack visual captchas a number of ways, including using optical character recognition; employing a mechanical turk service (where humans are paid fractions of a penny for each correctly entered captcha); or by prompting the victim him- or herself to enter captcha text, disguising the captcha form as some sort of Windows prompt. This is the first time I’ve heard of a Trojan attempt to crack the audio captcha, let alone succeed.

Continue reading

Weird New Koobface URLs Use Old Tricks

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Pretty much since it arrived on the malware scene, Koobface has used the technique of sending messages with Web links — in your name, to your friends — as a method of propagating the infection to others. Using your name is a powerful social engineering trick, and the makers of the worm have tried innumerable ways to mask the danger behind those dangerous links: They’ve used “short link” services like Bit.ly to hide the destination; They build pages on sites normally considered safe, like Blogspot or Google Reader, that simply redirect users to a dangerous page; and they use stolen credentials for the Web servers of legitimate businesses to upload their own malicious content there.

Since February, Koobface has tried another technique: It has used different URL encoding schemes, which many browsers but few humans can interpret. You click an odd-looking link and before you know it, you’re on a site that’s trying to push an infection at your PC.

This “new” trick actually harkens back to 2001, when spammers were using so-called dotless IP address tricks to bypass security features in Internet Explorer. A Windows patch issued in October of that year fixed the bug in IE that gave dotless IP addresses additional security permissions. But the IE, Firefox, and other browsers remain capable of taking a URL in the form of (for example) http://1078900434 and correctly translating to a standard IP address, then loading, the page hosted at the IP address that number represents. (The dotless link above will take you to Webroot’s Web site.)

Continue reading

Fakealert Accurately Mimics Windows Update

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

A new Windows Update-themed stupid malware trick that’s making the rounds appears to be trying to capitalize on the recent frequency of “out of band” Windows patches Microsoft has been releasing lately.

The spy, which serves as nothing more than a vehicle for the fraudulent sale of a fake product called Antimalware Defender, so closely resembles a Windows Update installation dialog that some members of our threat research team who saw these files had to pause and look carefully at the dialog box before deciding it is, in fact, a big fat hoax. Even the Microsoft Knowledge Base article the dialog box references is a real KB article…though it has nothing to do with security.

The entire scam is facilitated through a nearly-1MB DLL file, which contains all the instructions required to display the fake popups from the System Tray, the fake Windows Update dialog box, and the fake antivirus “scan” window which appears when you play along with the app. The DLL appears when you visit certain Websites that push drive-by downloads at visitors.

Continue reading