Pinball Corp’s Appbundler Employs Malware-like Techniques

Posted on March 29, 2011 by glhaldeman

By Andrew Brandt

For a couple of weeks now, I’ve been noticing a curious (and increasingly prevalent) phenomenon: Some of the free Web hosts popular among those who engage in phishing are popping new types of multimedia ads over the tops of the pages they host. Not only does the victim, in this case, risk having their login credentials to banks or social media sites phished, but many of those ads behave almost identically to “missing codec” social engineering scams that have been popular among malware distributors for years.

The ads — and I use the term very loosely, because these contrivances fall well over the shady side of the ethical line for online advertisements — appear in banners or (in the multimedia-heavy version) glide down in front of the page the Web surfer happens to be browsing, annoyingly obscuring the page. In most cases, these “ads” take on the appearance of some sort of media player window that appears to be stuck in a “video loading” loop, but this is a ruse. There is no media player. The Flash animation is designed to look like one, with the goal to convince the viewer to click the fake video player window, which initiates the download of something called XvidSetup.exe from a server on the domain appbundler.net.

That domain, as well as appbundler.com and clickpotato.tv, appear to be owned by a company with a less than stellar online reputation called Pinball Corp. The executables are not malware, but they also don’t entirely do what they say they will, either. And while the programs also distribute an old, outdated version of the XviD codec (in addition to other sponsored apps, more about this below), they do so without the permission of the publisher of that software, and possibly in vi0lation of the GPL software license terms that XviD uses. A new term of art seems to be required to describe this type of advertising; I propose calling the ads scads, a concatenation of scam and ads. Scadware describes the fraudulent software more precisely than the prosaic Potentially Unwanted Application.

The deceptive way in which Pinball Corp’s ad convinces users to download and install the sponsored software certainly leaves a bad taste in my mouth. Read on for the details.

Continue reading →

Spammed YouTube Comments Promote Adware – Successfully

Posted on March 8, 2011 by glhaldeman

(Update, July 11, 2011: On May 25, 2011, we were contacted by representatives of Future Ads, LLC, the parent company of both Playsushi and Gamevance. Future Ads informed us that they, too, had been victims of a scam perpetrated by rogue affiliates who seemed to be involved with the malicious campaigns we described in this post. Future Ads claims that it has taken action to prevent this type of abuse from happening in the future.)

By Curtis Fechner and Andrew Brandt

I was poking around at the end of the work day last week, checking out the newly-released trailer for X-Men: First Class. But something in the comments caught my eye: The two highest-rated commenters don’t appear to be human. Their messages invite readers (using some goofily accented characters) to visit a profile and see the whole movie.

I’m sure the film’s director, Matthew Vaughn, would also love to see that, especially because he may not have finished shooting the movie yet. And, of course I wanted to see just how they’d manage to get “this entîre leekêd-movìe” or “the complête leekêd-film” in their user channel, given the absence of a completed film, let alone YouTube’s limits on video length.

When I click through to the profile, it suddenly makes sense. The profile links to an outside site where (the profile’s owner claims) you can watch the full movie. It only took 13 thumbs-up clicks on those comments to make those comments the most popular, but a real user isn’t going to ‘like’ glaringly obvious comment spam. The comments are probably being boosted by the spammers themselves. With just under 7 million page views, this is apparently an effective scam. Not good!

Continue reading →

10 Threats from 2010 We’d Prefer Remain History

Posted on January 1, 2011 by glhaldeman

By Andrew Brandt

With 2010 finally behind us, and an unknown number of cyberattacks likely to come in the new year, I thought I’d run down a brief list of the malicious campaigns criminals pulled off last year that I’d really dread to see anyone repeat. Now that they’re in the past, they should stay there.

Operation Aurora: Google’s accusation (with Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec) that China hacked its servers, allegedly stealing private emails stored on the company’s servers. The big surprise wasn’t that it was happening, but that companies were publicly talking about it.

Abused ccTLDs: 2010 saw lots more malicious content originating from previously un-abused country code top-level domains, which are assigned to national authorities, such as the .in (India) and .cc (Cocos (Keeling) Islands) top-level domains. The Cocos Islands’ .cc domain deserves particular note because the more than 2200 malicious domains (discovered during 2010) hosted under this ccTLD outnumber the approximately 600 human inhabitants of the tiny archipelago by nearly 4-to-1.

Koobface: “the little social network worm that could” employed new URL obfuscation techniques, introduced its own keylogger, and focused efforts on a smaller number of social media sites, while Facebook got more proactive at shutting down the worm’s operations quickly. Maybe this year they’ll disappear altogether.

Continue reading →

Rogue AV Spam Invades Multiply, Yahoo Mail

Posted on November 10, 2010 by glhaldeman

By Andrew Brandt

While nowhere near the size of the mammoth Facebook, the social network Multiply is no slouch. Based in Boca Raton, Florida, the site is designed around not only sharing photos and videos with friends and family, but also a relatively novel concept called social shopping, which permits users of the site to shop together in a virtual marketplace, or even set up an Internet storefront. At last count, according to Multiply’s blog, the site has over 12 million users, which means that the Multiply Market may be one of the largest single shopping Web sites in Southeast Asia, where most of its users live.

I would never have even known about Multiply (it’s one of nearly 200 active social network sites listed on Wikipedia) if it weren’t for one of our Threat Research analysts, Rhoda Aronce, who hails from the Philippines and uses Multiply to keep in touch with family. She received an odd-looking message that appeared to come from Multiply on her Yahoo mail account yesterday, and it set off alarm bells. Good thing, too, because it looks like a spam campaign targeting Multiply users is trying to infect those users’ computers with a rogue AV that calls itself Antivirus Solution 2010 Next.

The initial spam message uses familiar social engineering tropes: It’s a message that looks like it was sent via Multiply’s servers to Rhoda’s Yahoo mail account. The message body reads

heyy! (username), do we know from some place isn’t it? so here’s a special video i did for you, ull recall me!, pls holler me back!!!, kisses <3

The message is dominated with a photo of what looks like a streaming video window that says Click here to see movie. That’s where the fun begins for researchers, but please, don’t click this at home, especially if you’re in the middle of shopping online. Leave getting infected to the professionals. If you see something like this in your email inbox, just delete the message.

Continue reading →

Malware Threats: What Would Churchill Do?

Posted on November 3, 2010 by glhaldeman

By Ian Moyse, EMEA Channel Director

With Christmas fast approaching, (lest we forget the shops have kindly put all the Christmas goods out in September and early October again!) we can expect online attacks to increase as per their normal schedules, ramping up through the end of the year.

With apologies to Sir Winston Churchill, never in the field of Internet conflict was so much harm done to so many by so few.

For all the benefits the Internet provides our lives, no single technology has given so few criminals the ability to cheaply and easily target the many. We’ve seen the rise of the dark economy, where far flung cybercriminals trade skills and produce burglary tools for sale, and we live with the consequences every day. Sophisticated attacks target both our computers and our users, through social engineering.

While the increases in cybercrime incidents seem to indicate a greater number of attackers, the reality is that the growth of the Internet itself gives rise to the ever-increasing volume of botnets, keyloggers and spam. The Internet makes us all contactable and, to a degree, easily identifiable. As we surf the Web, we leave traces of our presence in the form of electronic footprints — cookies, blog postings, and of course, our activities on social networks and other online forums.

And yet, no matter what we do to stem the tide, the problems only seem to increase in size and scope.

You can tune in and listen live to more of Ian Moyse’s predictions for next year’s most serious threats in his free Webinar, ThreatNet 2011, Thursday, November 4, at 10am Eastern.

Continue reading →

Five Reasons You Should Always “Stop. Think. Connect.”

Posted on October 4, 2010 by glhaldeman

By Andrew Brandt

Today’s the official kickoff for National Cyber Security Awareness Month, and the organizations supporting the event, including the National Cyber Security Alliance, the Anti-Phishing Working Group, and dozens of corporate citizens including Webroot, want you to protect your computer and your personal information. So they’ve come up with a three word campaign slogan they hope will become conventional wisdom for every Internet user: Stop. Think. Connect. Think of it as the 21st century equivalent of looking both ways before crossing the street.

In my case, they’re preaching to the choir. For years, I’ve advocated that people treat everything they see online critically, and to scrutinize information before acting on it. That’s because the army of criminals who commit fraud and theft over the Internet on a daily basis rely on you to not stop, not think, and to click links or open files immediately, without regard to the consequences of your actions. That’s how most people infect themselves. If you stop and think before you connect, you can prevent most of these infections yourself, simply by exercising a little restraint.

It’s hard to think of a major cybercrime outbreak over the past year that hasn’t relied, to some extent, on the naivete of its targets. Security professionals call these tricks “social engineering,” but that’s just a geeky term for criminal skullduggery that’s as common offline as online. The ruse almost always tries to invoke an adrenaline-fueled need for an immediate response — usually out of fear, greed, or panic — on the part of a victim. The victim ends up in a mental state where they are likely to make rash, impulsive decisions. And they do.

Putting the brakes on social engineering tricks usually takes all the steam out of them. To that end, I’d like to show you examples of five of the most common cyberscams that lead to the loss of personal information or sensitive data. Hopefully, if you know what to expect, you’ll simply walk away from the encounters unscathed.

Continue reading →

Workplace Social Networking: More Like Antisocial Not-working

Posted on September 14, 2010 by glhaldeman

By Ian Moyse, EMEA Channel Director

Hardly a week goes by when the national press doesn’t carry a story about how social networks represent a threat to privacy or security, or both. These news stories aren’t wrong: Users of social networks face a raft of risks, ranging from malware attacks and identity theft, to cyberbullying, grooming from sexual predators or stalkers, viewing or posting inappropriate content, and the ever-present risk that you (or someone you work with) might end up with your foot (or is it your keyboard?) firmly in mouth.

Using social networks to give out too much information about yourself can also lead to some predictably poor outcomes. One Australian employee, fired from his job, had posted about skiving from work after a night of heavy drinking. A group of call center employees swapped brags about abusing customer information on Facebook and were fired. Is it hard to believe that the employer used the employees’ own Facebook posts as a virtual admission of guilt?

With Facebook adding over 400,000 users a day and LinkedIn 400,000 a week, social networks can no longer be ignored by employers, as employee misuse of social networks accelerate.

Continue reading →

Fake Flash Update Needs Flash to Work

Posted on September 7, 2010 by glhaldeman

By Andrew Brandt

If you live in the US, you may have played sports, barbequed, or enjoyed the last long weekend of the summer outside doing something fun outdoors. Unfortunately, that wasn’t an option here in Boulder, where a large wildfire generated a thick plume of smoke and ash. So, what’s a malware analyst to do indoors on a beautiful day with toxic smoke outside? Why, spend some quality time with Koobface, of course.

I took a closer look at the worm’s behavior and also noted that, since the Migdal keylogger site went dark for the Koobface crew, they’ve switched to using a new domain as the dead drop for credentials stolen by the Koobface password stealer payload: m24.in, the Web site of some sort of media company based in India. The behavior I saw by the keylogger was virtually identical to that used by the Migdal variant, reported in a previous post. The payload is even named m24.in.exe, just like the Migdal payload was named after the domain where it posted stolen passwords.

It’s been a while since the worm changed its primary method of infection: For nearly its entire existence, Koobface has spread by manipulating the social network accounts of infected users so it appears the user posted a link to a video. Of course, the worm does the posting in the name of the user, and the link points to a page which purports to be some sort of streaming video, but actually pushes the malware on anyone who visits.

And, in order to take on the appearance of a real online video, it uses Flash.

Continue reading →

Pro-Israel Website Receives Passwords Stolen by Koobface

Posted on September 2, 2010 by glhaldeman

By Andrew Brandt

Is the team behind the Koobface worm taking a stance on the Israeli-Palestinian peace talks, or is this notorious worm’s most recent, bizarre twist just a coincidence?

We’ve seen Koobface hijack legitimate Web sites for more than a year, using them not only to host malicious payload files, but also to work as proxy command-and-control servers for the botnet. One such hijacked Web domain, migdal.org.il, popped up in a number of blog posts and on Web sites which list the domains used to host malware, as far back as this past May, when the Koobface crew began using a slew of new hijacked servers as distribution points for its malicious files.

And since the summer, Koobface has been delivering a password stealing Trojan among the several payloads it brings down to an infected computer. That Trojan’s name is migdal.org.il.exe, and the stolen passwords it scrapes from infected computers are sent right back to the migdal.org.il Web server, which is physically located at an ISP in the UK.

Migdal also seems to be (if you can believe the content posted to the Web site) a French jewish organization that provides aid and resources to Israeli children and border guards, and whose leadership opposes many of the Israeli concessions that Palestinian negotiators have requested during the long peace process. Have the Koobface gang gone political, or are they just capitalizing on a convenient situation with an abandoned Web site?

(Update: The site went down on September 3rd, the day after this post went live. Thanks, helpful ISP who shall remain nameless.)

Continue reading →

“OMG! Vuvuzela banned!” Tweets Infect Followers

Posted on June 24, 2010 by glhaldeman

By Andrew Brandt

Malware authors must have a soft spot in their hearts for the long-maligned South African vuvuzela, because once again, the most annoying noisemaker in World Cup history is driving people to Web sites which push infections down to their computers. This time, people are retweeting the malicious links attached to a message that reads “OMG! Vuvuzela banned!” along with the hashtags #worldcup and #vuvuzelabanned. At last check in Google, references to the malicious links number over 16,000.

The tweets use a variety of different link shortening services (including bit.ly, tinyurl.com, is.gd, and dr.tl) to mask the fact that their destination is actually a bogus image hosting website hosted on the .in top-level domain (supposedly used by Web sites registered in the country of India, but these sites are all hosted elsewhere). The Web site you eventually land on calls itself Image Sheep, while in the background, your PC is being herded into a botnet.

As an aside, there is a real image hosting service by the same name, but the real Image Sheep is registered elsewhere and hosted in an entirely different network than these fake Image Sheep clones.

Once the victim’s browser loads the fake Image Sheep page, it pushes a Java “image viewer” applet, named target.jar, down to the browser. It’s easy to pick apart the contents of this file, which contains additional Java applets and PHP scripts that push the malicious file (named IMG12523.jpg.exe) down to the victim’s computer. The file itself is a downloader component of an adversary we’ve seen before: Trojan-Backdoor-Protard (aka Gootkit), which retrieves additional malware and retrieves complex instructions.

Continue reading →

WEBROOT – INSIGHTS INTO THREATS AND TRENDS FROM OUR INTERNET SECURITY EXPERTS

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Follow “Webroot Threat Blog - Internet Security Threat Updates from Around the World”