Sometimes you see a malware implementation that you have to have respect for the cleverness/ingenuity of the design. These pests can be dastardly to get rid of, but essentially this pest was occasionally popping up a “windows integrity scanner” installer. It wasn’t frequent, but it was persistent and the user was afraid that it was the gateway to other bad stuff. (That’s correct…) Anyway on inspecting the msconfig list of programs running at startup I found gsudxz.exe or some such nonsense (psuedo-random string of letters). I opted to reboot into safe mode and run the smitfraud removal tool because this looked like a typical smitfraud infection… turns out it wasn’t though.

The removal tool did it’s job, found the item I had suspected and I rebooted to find it gone. I continued to work on the machine for another 40 minutes or so on another issue and left. I soon had a call that it had returned! So, I revisited and sure enough there was another entry in the startup list…. wdxcijk.exe or something similar… Hmmm… were is the “puppet master” process though? I killed off the process in memory and the startup entry, but knew there must be something “lurking in the shadows” that put it back in place.

So, I ran the Autorun utility from sysinternals…. I haven’t used that utility before believe it or not, but it does an EXCELLENT job of listing every thing that might automatically run or load at startup. It turns out that there are run entries in the registry that are not displayed by msconfig. (Thanks microsoft…) This particular baddie had taken up residence at hklm (hkey local machine) / software / microsoft / windows / current version / policies / explorer / run … an the file it was running was safely tucked away in the c:\documents and settings\all users\application data area….

so this process was responsible for running at startup and making sure that it’s minion was active. If the minion wasn’t active it would create a fresh copy and run it/place it in the regular startup area. Clever…. someone cleaning manually or via utility would quite easily find the and remove and not be certain how it kept sneaking back in.

These stories come up from time to time. A free giveaway of some sort and it turns out that there’s spyware or a virus embedded, company gives a big “whoops” and fixes things by replacing them…. McDonalds had a promotion going where up to 10,000 people could win a flash based mp3 player they also received a trojan horse preinstalled…. They’ve apologized and are swapping the infected players and giving information on how to clean up a pc with the keylogger. According to f-secure it was infected with the QQPass password-stealing trojan. Just imagine how things would have turned out if the Greeks had looked that gift horse from the trojans in the mouth first…..

Looks like Apples at it too – some of the 5.5gb ipods shipped with Windows viruses. ( RavMonE.exe ) – Apple has removal instructions….

Some time back I remember an article I had on vcodec not being a legitimate video codec. At the time there was some malware claiming to be vcodec and “required” to view some content…. well, posing as a codec download is a good way to trick people into downloading it seems and there are more out there that use the same trick. Sunbeltblog brings not one, but two fake codec sites to watch for today.

icodecpack.com
playercodec.net
movscodec.com

along with ….

dvdcodec(dot)net
emcodec(dot)com
emediacodec(dot)com
emediacodec(dot)com
imediacodec(dot)com
Intcodec(dot)com
media-codec(dot)com
mediacodec(dot)net
media-codec(dot)net
movscodec(dot)com
mpgcodec(dot)com
nvidcodec(dot)com
nvidcodec(dot)com
pcodec(dot)com
svideocodec(dot)com
vcodec(dot)com
V-codec(dot)com
vcodecdownload(dot)com
vcodec-download(dot)com
vcodecget(dot)com
vcodec-get(dot)com
vcodecpull(dot)com
Vicodec(dot)com
Vidcodec(dot)com
vidscodec(dot)com
zcodec(dot)com

Above clip from sunbeltblog – thanks for the warning guys… be cautious out there.

–update 9/15–
Credit again to sunbeltblog on another fake codec out there….

strcodec.com

is the site…

Yes, it’s another wolf in sheeps clothing. This time around Sunbelt is reporting on “Trust cleaner”. Keep your eyes out for this one, among other things it plants an altered version of the Google page complete with links to dating, gambling, ringtones, pharmacy, home loans and spyware removers…….. (the fake site is at mswindowssearch.com – trustcleaner.com trustinbar.com are download sites for the pest….) If you’re in a position to block addresses…. read more for the list….

Here’s a list to block

813aw0nr01jsxfj374ca. com
adelinatech. com
adsforsite. com
azebar. com
blablablablablablablablabla. com
fandl. net
finditanyway. com
globosoft. info
googlecaches. com
trustclicks. com
trustincash. com
trustincontextual. com
trustinpopups. com
trustinsearch. com

While we’re in the spyware theme… Again from sunbelt blog… there was a mention a couple days ago about iframecash.biz being down – well they’ve just moved to another domain name… or a few:

Well, they are actually running just fine, thank you — albeit at a different site, iframemoney(dot)biz. In fact, here’s the whole happy bunch:
81.95.146.85 iframemoney biz Charles Manuel admin@spyfix.biz
81.95.146.86 xarwiroozc biz Charles Manuel admin@spyfix.biz
81.95.146.86 xcytxcxqrb biz Charles Manuel admin@spyfix.biz
81.95.146.86 xdnsupulub biz Charles Manuel admin@spyfix.biz
81.95.146.86 xepvdhdnzs biz Charles Manuel admin@spyfix.biz
81.95.146.86 xffsktxdul biz Charles Manuel admin@spyfix.biz
81.95.146.86 xgbgsfmdis biz Charles Manuel admin@spyfix.biz

So there’s more for your blocklists. Be careful out there.

Wolves in sheeps clothing are the label I give to those rogue antispyware, or antivirus programs that bring pests instead of protect against them, or are otherwise questionable in their tactics. Titan Shield seems to be a new threat on the block in this area, I haven’t seen it first hand yet, but it looks like it is one you’ll want to avoid *(You may want to block antispywarebox(dot)com and titanshield(dot)com if you’re in a position to do such things in your network.)

It’s almost surprising that this kind of thing is still a problem, but it seems that they just keep sprouting up. Anytime you’re considering getting antivirus or antispyware software, DON’T do it because of a popup window, investigate (offline if necessary) some of the legitimate, recommended options. Maybe check it against the list online of rogue antivirus and antispyware and then come to a decision.

Oh, also from Sunbelt blog… they’re talking about a craigslist car ad – on inquiring – the advertisor gave a link purportedly to details/pictures, etc. about a car for sale, the link was to an .exe file. You’ve got to stay vigilent.

It went un-noticed by most people for a few years. After all, the ones that were affected were just those that were “asking for it”. Where to start. Let’s see, back in the day there were some that sent out messages to other peoples computers and even when people tried to stop getting the messages they kept coming, so a few sites decided that if they could “blacklist” the places that these messages were coming from, they could help people deal with the mass of messages. So they did, and the people sending the unwanted messages were a bit frustrated and improved their distribution a bit, taking over virus infected pcs for sending their messages. The defenders matched and started blacklisting dialup addresses as mail sources. It was frustrating for those doing legitimate mail servers on a dynamic internet address, but there were legitimate ways to fix the problem. But the senders of the messages got mad.

They used the army of spam bots that they had cultivated to attack the blacklisters, from time to time they would deny service to their websites and frustrate the effectiveness of their service. Once, to show the power of a botnet several big name websites were taken down for a better part of a day, then the attack just went away. It was just a flexing of muscle. Of course, THAT made big news for a day or so, then life went back to normal. The attack against spam blacklisters continued off and on, but most people don’t really care about that. OH they hate junkmail, but they just don’t know if blacklisting is the answer. Maybe it’s not anyway.

Occasionally, the botnets were used for other kinds of attacks too. Not against anybody that you’d jump to defend. Mostly against gambling sites. They’d basically say, ok it’s going to take $$$$ to make sure people can still reach your site tomorrow. After all gambling is at the edge of the law in many places, they don’t have much wiggle room to contact authorities. So, again, people didn’t take big note of it.

Then, there was a company that had another idea for getting people out of junk message mailing lists. They would follow the law, which allowed a removal request to be sent for each message received. They had a download client that would automate the process, but stay within the law. The effect was close to a denial of service for some of the big junk mailers. Some quickly conceded and cleaned their lists, but some took the lists and turned on the users of the service, and ultimately there was a massive botnet attack against that service that went on and on, eventually causing them to close up their doors.

Then there was another site. They were dedicated to computer security, to helping people remove viruses and spyware and had started an initiative to take down phishing sites. They were a bit more “mainstream” I suppose than many of the other sites. They got noticed for their work and have fallen under attack.

The above is basically a true (although stylized) narrative of the last few years of online botnet activity. Now, I CAN’T CLAIM that these attacks were all made by the same group, certainly not. BUT, I think this list shows how powerful botnets have become and the threat that they pose to the internet at the moment. Castlecops.com is the site that is the most recent target of a denial of service attack. They seem to be up at the moment, but I am really beginning to think that the internet security community has a BIG problem and a BIG fight on their hands. I think the “take down” of blue security may have given extra confidence to many in the spam/virus/spyware/phishing “community” that they have the upper hand and I ask myself if we might see security related business and communities (like castlecops) targetted one at a time until they’re DOS’ed into submission.

Indeed, blue security talked about the next stage in their fight would have been an escalation and perhaps starting a full scale “war” on the net. So, the question is… how much does our economy depend on the internet? How much power then does a botnet yield that could take out major sites for a period of time? What solutions are there?

Most efforts at taking out botnets have gone after the IRC servers that act as “command and control”. Usually, blocking those is what’s called for. However, I am beginning to wonder if another approach would be better. I’m wondering, given the fact that if you have one trojan on your pc you likely have several…. if it wouldn’t be better to design a “white hat” upgrade to distribute to a trojan, so that on the next connect to the IRC control, it updates and then displays a “YOU NEED TO REMOVE VIRUSES FROM YOUR PC” message and disables all network interfaces (routes everything to 127.0.0.1)

I know many times such “white hat” viruses backfire, but I think there needs to be serious consideration of ways to take out entire legions of botnets at one stroke, rather than cutting off one head and then the bot downloads fresh code from another server.

ADTMAG.com has an interesting article talking of the convergance of spyware and more sophisticated phishing attacks. They talk about the convergance of viruses and spam engines that happened in 2003 as a real shift in the dynamic of WHERE junk mail was coming from. Today botnets account for about 90% of the spam online, and of course, the botnets are the zombie armies that can be (and are being) utilized to bully web pages off the net, or extort large amounts of $$ due to denial of service attacks.

Essentially, the crux of this article though is that the spyware writers are finding that they can get a LOT more information from end users pcs than they’re making use of. They suggest a scenario that could happen where an infected pc whose user has an ebay account and just lost out on an auction could be sent a seemingly legit email explaining that the high bidder backed out and that they are now the winner of the auction, please remit payment to…..

In essense what this means is that we can expect MUCH more targeted and customized phishing attacks, which seems to make sense. Most phishing attacks today are shotgun approaches and may net a number of accounts (sometimes hundreds of accounts.) As that becomes harder to do, I imagine they would start to target smaller groups more specifically (hoping for a higher success rate.) Unfortunately spyware has evolved VERY quickly and is at times installed intentionally for the “neat game” or screensaver or who knows what that the company offers.

Incidents.org had an entry in the last couple days on a malware infestation that was interesting and showed a couple things. 1) You can’t bet on antivirus to keep you safe (the initial installer was not detected by most AV vendors – suspicious by 1.) (If you think about it, this makes perfect sense – antivirus is reactionary and needs to have seen a bug once to recognize it again.) 2) Malware, once in the system, can bring all their friends.

The initial malware was called extdrvr.exe and was apparently a spambot of somesort (when run it would pull email addresses and message body from a website. (spm.freecj.com) Then it would download trojan downloaders, which would pull in more stuff, including a dialer, which pulled down ANOTHER downloader.

In an interesting competitive twist, the host file was modified to block access to various antivirus vendors, Microsoft ,etc… but also some well known sites for distributing OTHER malware. (Was it Netsky and bagle/beagle that “fought” against each other ?)

This system is definitely in line for a reinstall after this mess.

Incidents.org has another interesting post about a spyware site. One of the handlers ran across it while doing a search for an educational institution. (They’ve used a wildcard in the dns record so that they can get traffic to {fillinkeyword}.nastydomain.com) Anyway… the main page tries to install WinAntiSpyware2006FreeInstall.cab from WinSoftware Corporation, Inc. It gives the little ActiveX control popdown bar and insists that it must be installed to view the page properly. But that’s not the most interesting part…

It looks like they’re filtering access to the page based on the User Agent of the browser, if it’s IE you get the push install, if it’s not… Page not found. They discovered this because they put on the “rubber gloves” of web security research and tried pulling up the page with wget to see what it looked like. 403 denied… Then they tried out Firefox and got a 404 not found. Finally, they tried wget with the -U option to specify a User Agent… like this…

wget -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

And with that (and the address), they were able to grab the index.html

I guess that’s a technique to try and slow the research of a push spyware download? According to Incidents, WinAntiSpyware2006FreeInstall.cab is detected as a trojan by some antivirus products. I wonder also if this could pave the way for spyware pushers to target specific browsers/platforms with different push downloads?

There is no doubt that spyware is a problem, but when a vendor of anti-spyware software claims 87% of pcs have on average 34 pieces of spyware per machine installed…… you do have to wonder. And when they claim that in part on FREE anti-spyware software…..

“Security analysts blame this increasing infection rate on the adoption of free anti-spyware programs that use outdated technology and don’t provide immediate threat definitions to combat against new and emerging threats. To guard against new spyware programs, home computer users must use an anti-spyware program with frequent definition updates and engines that are capable of removing the toughest spyware from deep within the operating system. Unfortunately, users who only install free anti-spyware programs do not get access to frequently updated definitions and versions.”

Security Fix writer Brian Krebs decided to put a few tools to the test, including that of the company that released the report that the above snipet comes from. (Webroot) Apparently (for starters) tracking cookies were used to make up the # of infections per pc number above. Well, truth is, most web browsers mac/linux/windows probably have a tracking cookie from SOMEPLACE that SOME company considers to be spyware. (Unless they reject cookies entirely) I remember seeing one antispyware tool complain about doubleclick cookies.

Anyway, Brian tested out a couple of free tools against Webroot’s Spysweeper. (Windows defender, ad-aware and spywareblaster were tested.) They were all tested against spycar which is …

Spycar is a suite of tools designed to mimic spyware-like behavior, but in a benign form. Intelguardians created Spycar so anyone could test the behavior-based defenses of an anti-spyware tool.

The bottom line is none of the tools prevented all the attacks. It does sound as though SpySweeper did perform better than the other tools in some areas. SpywareBlaster and Ad-Aware didn’t prevent any of the attacks, although with regards to Ad-Aware he notes…

(in hindsight, including it was kind of a silly thing to do because the free program doesn’t come with real-time detection — just on-demand scanning. In fairness, it found all of Spycar’s registry changes in a subsequent on-demand scan.)

It would be interesting to see how Spybot-Search and destroy would have fared in the real time detection, but… given that these were attacks instead of specific spyware… I really wonder.

Windows Defender prevented one registry change attempt, but allowed others and sat idly as internet option tabs vanished as the spycar ran through it’s tricks. (Defender also let spycar change the hosts file…)

Spysweeper did come out on top in the frequency of updates area (which in anti-spyware software is the key these days.) With 13 updates in the last month compared to 7 for Defender and Ad-aware and 2 for spywareblaster. (Again I wonder about spybot s&d…)

One comment on the article mentions pctools product Spyware Doctor as being very good, obviously not free, but very good. That reminds me there are a few pctools tests that I’ve been meaning to get around to looking at. Thanks for your testing Brian…