Good. It's always best to never share your password with a third-party. Even if you trust them, their database could be compromised, and your password along with it. The discontinuation of basic user authentication also removes the vector of brute force password attacks via Twiter's API.
All third-party applications must now use Twitter's OAuth.
So, that being the case… we have a feature request.
The other day, we came across some Twitter spam using a bit.ly link that pointed to an application called "Lady Gaga photos".
If you "Allow" the application, two things will happen: the account tweets spam and follows two new accounts (emoboyxx3 and BoyGeorge).
We don't suspect Boy George is behind this…
Okay, so it's a spam application. Time to visit Settings/Connections and revoke its access.
And here's our feature request, we want a "Revoke Access and report as a spam application" as well as the "Revoke Access" option.
09/04/2010 12:04 PM
Wikipedia's affiliate marketing entry includes the following sentence: "Although many affiliate programs have terms of service that contain rules against spam, this marketing method has historically proven to attract abuse from spammers."
This is very true — affiliate marketing methods definitely attract abuse from spammers.
Our recent posts on Facebook and YouTube spam linked to cost per action (CPA) affiliate networks. We've come across affiliates from several CPA incentive networks while investing social networking spam, and one of the more interesting companies that we frequently see abused is CPAlead.com.
09/04/2010 12:04 PM
Someone has been trying to pose as us again, and is sending out an e-mail that looks like this:
From: Account Support Date: Saturday, August 28, 2010 4:33 AM To: none Subject: Account Alert!!!
An HTK4S virus has been detected in your Email Account, and your email account has to be upgraded immediately to our new F-Secure HTK4S anti-virus/anti-Spam version 2010 to prevent damage to the email and important files in your email account. You are therefore required fill the columns below to enable us verify your email account or your email account will be suspended temporarily from our services.
Username: Password: Date of Birth: Telephone Number:
You can safely ignore that e-mail and please do not reply with the requested details. We don't have a product called F-Secure HTK4S anti-virus/anti-Spam, and we certainly wouldn't let such a badly written e-mail to be sent out to customers.
09/04/2010 12:04 PM
One of our Safe and Savvy bloggers, Melody-Jane, recently asked me about some "free" offers for F-Secure Internet Security 2010 that she spotted on YouTube. She thought the videos, and their associated links, looked just a bit more than suspicious. So I decided to check them out.
What I discovered was Cost per action (CPA) spam. The same sort as I've recently been investigating on Facebook. (I'm really, REALLY beginning to hate this CPA stuff.)
This is what one of the typical videos looks like:
"Click the Link to Begin Your DOWNLOAD.......BEFORE IT'S REMOVED!!"
Too late. I've already reported the video to YouTube and Bit.ly abused their link within 30 minutes of my request. (Nice!)
Here's another example of a spam video.
As you can see, it isn't just our software that the spammer is trying to rip-off, he's offering many other AV products as well.
If you click on the link advertised in the video's description, you'll end up at a WordPress.org blog.
At which point you'll be presented with a CPA survey to "unlock the free content".
And what content do you get for your trouble when you fill out the survey?
A link to a torrent site… (jerk).
Downloading cracked software is typically a short path to malware. We don't recommend it (doesn't matter what software).
09/04/2010 12:04 PM
In the past days, a class of exploits that fall under the category of DLL hijacking (or "binary planting") have gotten a lot of attention. Apple's iTunes had problems, and a lot of other applications seem to be falling for the same thing.
The problem is really quite simple. An attacker will try to trick someone into opening a data file (for example, an MP3 file in the case of iTunes) from a folder while at the same time placing a malicious Dynamic-link Library (DLL) somewhere under the same location. By doing this, he can force a vulnerable application to execute the malicious code. So, double-clicking on the wrong file on a network share might get your machine infected.
The whole class of problems is really nothing new. As Thierry Zoller points out, a nearly identical issue was reported a good 10 years ago. Why are we seeing lots of new vulnerabilities now? A lot can be attributed to a new tool that was made available by HD Moore last Sunday. It makes finding such vulnerabilities very easy.
So what can you do to keep safe? Microsoft has Security Advisory 2269637 out on the issue. It has several ways to mitigate the risks. You should also make sure to apply updates from different vendors for vulnerabilities in their products.
We'll of course be following this closely and adding detection for any malicious DLLs abusing the vulnerabilities.
Currently we are not aware of any vulnerabilities in our own software, but we are continuing further investigations on the matter.
Signing off, Antti
P.S. Those of you developing Windows software: isn't it funny that a single function with a single argument, LoadLibrary("mylibrary.dll"), can be so difficult to get right?
The documentation for LoadLibrary has about 1100 words, the page describing it in more detail has 1000 words, and the page that tells you how to really get it right has 900 more. That's around 3000 words, or ten times the length of this post. You just gotta love LoadLibrary!
09/04/2010 12:04 PM
Last week, the lab identified a curious set of spammed malware; files signed with a valid Authenticode code signing certificate.
This is something we've seen before. But this case seemed odd because the contact information appeared very genuine. Usually a valid but malicious certificate uses clearly bogus or dubious details.
I searched for a company that matched the name and address in the certificate and found small consulting firm that provides services related to industrial process control and optimization.
I contacted the company and asked them whether they were aware that their code signing certificate had been stolen. The case became more interesting to me when they responded that they do not have any code signing certificates. In fact, they don't produce software — so they don't have anything to sign. Clearly someone else had obtained the certificate in their name; they had been victim of identity theft.
I investigated the case with the help of the victim and Comodo, the Certification Authority that had signed the fraudulent certificate. I discovered that the certificate had been requested in name of an actual employee and that Comodo had used both phone call verification as well as e-mail. The fraudster had access to the employee's e-mail and the phone call verification either ended up with wrong person, or there was some misunderstanding. So the phone check offered no prevention this case.
Comodo has revoked the fraudulent certificate and any files signed with that certificate will be blocked automatically.
Also during the investigation I learned that the compromised employee had received a phone call from Thawte, another CA company. Thawte asked if she requested a code signing certificate in the company's name, to which she had answered "no", and Thawte then aborted the certification process. So it seems that the malware authors tried multiple CAs until everything fell into place in gaming the application process.
This case gives cause for serious concern about the trustworthiness of code signing in general.
When scammers have access to a company's e-mail, it is very difficult for a CA to verify whether the request coming from the company is genuine. Mistakes will also happen in the future. It is very likely that we'll see more of these cases in which an innocent company with a good reputation is used as a proxy for malware authors to get their hands on valid certificates.
Certification Authorities already have measures to pass information about suspicious certification attempts, and other kinds of system abuse. However these systems are maintained by humans, and are thus fallible, and we have to accept the fact that that with current system, certificates are not 100% proof of a file's origin.
The current situation of a single entity being served by several certification authorities is not good from a security point of view. Certification Authorities should have similar process as with domain names where a single domain name, for example f-secure.com, can be hosted by only one registrar at a time.
Also, code signing or SSL certificates should be allowed to be signed by only one CA at the time.
So if someone would like to get certificate in name of F-Secure they would only be able to get that from the same CA where F-Secure currently gets its certificates, which has an existing business relationship with F-Secure, and thus any new certification requests would be verified from existing business contacts. For this to be possible, the CA would need to have a central information resource.
The current model of any CA being able to issue a certificate in any name is simply not ever going to be secure as there are way too many possibilities for scams and social engineering.
For those interested in hearing more about code signing abuse, I will be giving a presentation at T2 Information security conference in October.
09/04/2010 12:04 PM
Today we have an example of yet another Facebook spam (YAFS).
This particular spam links to a Facebook Page called "I May NEVER T�XT AGAIN After Reading THI$!!".
As you can see, there are over 200 thousand likes.
The Facebook user must click the Like button in order to continue.
But not really. Let's skip step 1 and take a look at the selection source.
Step 2 requests (but doesn't enforce) sharing the Page and step 3 provides a link to Blogger.
JavaScript for a CPAlead (an affiliate marketing vendor) kicks in when you visit the Blogger page.
This actually surprised us as we wouldn't have expected Google to allow this sort of thing on a page hosted at blogspot.com.
In order to view the Blogger page, you have to fill out a survey.
But not really. A browser add-on such as NoScript can be used to disable the JavaScript and view the page. Adblock Plus also works.
The "Never Texting Again" blog looks like this once you disable the survey.
The Blogger page was created in May 2010 and simply copies this switched.com article from September 2008.
So how many people filled out the survey in order to view the page? That's difficult to say as there aren't any counters on the page.
Another similarly themed spam link from June 29th offers a hint:
There were nearly 300 thousands clicks on the bit.ly link…
But remember — clicks don't equal conversions.
The bit.ly statistics show that the link was only liked 3048 times.
That's just a one percent conversion rate from Clicks to Likes (step 1 to step 2). And as we mentioned yesterday, even fewer people appear to fill out the surveys (step 3).
Yes. The links do "spread virally". But as a wise man once wrote: Don't Panic!
The links are just spam, and the majority of people recognize it as such — just like e-mail spam, which also links to surveys, scams, and dubious offers.
This spammer has several Blogger pages:
And they all seem to fit Google's definition of spam:
So we reported the entire account to Google.
Done, and done.
We don't really care for the sort of "news" that CPA spammers continue to hype — and you probably don't either — but perhaps you have a friend that frequently falls for this sort of spam? Then check out Bypass Facebook Fan Pages. The site tracks Facebook spam and links to the material on which the CPA affiliates are trying to capitalize. They also have a Twitter account.
09/04/2010 12:04 PM
Facebook spam (erroneously called scams) has been making headlines recently…
And with all the attention on "virally spreading" links, we wondered, just how effective is it? What's the conversion rate? Links spread virally — but so what? That's only one step in the process. How many people actually fill out the CPA surveys that make the money?
But wait, what's that in the bottom right hand corner? A counter of some sort?
Indeed, this particular spammer is using a statistics site called http://whos.amung.us.
Here's the dashboard view for the football spam:
The most action that this spam managed was 208 hits in one hour.
Here's another, more popular spam about an unlucky McDonald's Happy Meal:
This spam uses bit.ly links to spread itself on Facebook.
The links lead to http://happytruthblog.co.cc and there are just over 32,000 clicks. The stats also show the number of likes. Clicks to likes, what's the conversion rate? One link has around 40% and the other about 48%.
The dashboard reflects the successful traffic.
40% is an excellent conversion rate, much better than e-mail spam.
However, the 32,000 clicks is far less than similar spam from just two months ago when we saw several examples of viral links that yielded hundreds of thousands of clicks.
Returns are diminishing as people are exposed, develop a resistance, and recognize Facebook spam for what it is.
In fact, the spammers themselves seem to know this and are working harder to convince people.
This version of the Happy Meal spam promises "no need to complete surveys."
And the initial likes and the site's dashboard stats reflect well on that promise.
But it's the same old spammer lie.
This page has an anti-spam bot "test", which is just a survey by another name.
Let's close the page. Wait, what's this?
Please take one minute to complete a spam-free market research survey?!?
Unbelievable.
Screw the spammers! Let's take a look at what they're trying to cover up with their JavaScript.
Here's the page source for the spam page:
Rather than "like" the page and then "share" it with our friends on Facebook, let's skip to "step 3" and open /reveal.html.
Hmm, that reveals a reference to widget.php.
And widget.php's page source gives us the final result:
If that's the type of "free content" that these bonehead spammers are pushing, it's no wonder that there's a diminishing return on their efforts. What a joke.
A couple of other examples that we examined today used video bait (video.php). Those spam pages eventually linked to YouTube videos, and those view statistics only showed tens of views from the embedded sources.
That's good news. Examination of the data demonstrates that fewer and fewer people actually continue on to "step 3", which is filling out the survey. The vast majority of people bail out of the process after simply liking the page, or after sharing the link.
But here's the bad news.
Social networking spammers don't need to dupe very many people in order to be rewarded for their efforts. Many of the surveys lead to SMS subscriptions (particularly outside of the USA) and there's good money to be made. And because the conversion rates are better than e-mail spam, you can be certain that it won't be going away any time soon.
09/04/2010 12:04 PM
For those of our readers who follow PlayStation 3 discussions, it would have been hard to miss the discussion about a new "jailbreak" for PS3. News of a USB dongle that breaks the security model of the game console to enable execution of third party software (as well as pirated games) have been going around like wildfire.
Not surprisingly, online miscreants are trying to exploit the excitement. The real USB jailbreak gadget is not a USB drive. But it looks like one. So now some clown is distributing a Windows program that claims to creates a jailbreak USB device out of a normal thumb drive. All you need to do is to download and run the program.
In reality, it drops a backdoor. We detect it as Trojan:W32/Agent.DLEN (md5 e3e03501c795a6cc4c53df2619cadd4b).
09/04/2010 12:04 PM
"Computer viruses may have contributed to the Spanair passenger plane crash which killed 154 people in Madrid two years ago", reports the Spanish newspaper El Pais.
"The Spanair central computer which registered technical problems in airplanes was not functioning properly because it had been contaminated by harmful computer programs", the magazine continues.
We cannot confirm whether malware played a part, nor do we know which particular malware it could have been. However, over the years, we have seen real-world infrastructure affected by computer problems. In most cases, this has been just a side effect; the malware behind the problem wasn't trying to take systems down, it just did.
This was especially bad in 2003, when we saw malware induced problems in real-life systems unprecedented in their severity. The main culprits were network worms Slammer and Blaster.
The network congestion caused by Slammer dramatically slowed down the network traffic of the entire Internet. One of the world's largest automatic teller machine networks crashed and remained inoperative over the whole weekend. Many international airports reported that their air traffic control systems slowed down. Emergency phone systems were reported to have problems in different parts of the USA. The worm even managed to enter the internal network of the Davis-Besse nuclear power plant in Ohio, taking down the computer monitoring the state of the nuclear reactor.
The RPC traffic created by Blaster caused big problems worldwide. Problems were reported in banking systems and in the networks or large system integrators. Also, several airlines reported problems in their systems caused by Blaster and Welchi, and flights had to be canceled. Welchi also infected Windows XP-based automatic teller machines made by Diebold, which hampered monetary transactions. The operation of the US State Department's visa system suffered. The rail company CSX reported that the worm had interfered with the train signaling systems stopping all passenger and freight traffic. As a result of this, all commuter trains around the US capital stopped on their tracks.
There was a lot of attention to the indirect effects of Blaster on a major power blackout in the Northeastern USA which occurred during the outbreak week. According to the report of the blackout investigative committee there were four main reasons behind the power failure, one of them being specifically computer problems. We believe these problems were to a great extent caused by the Blaster.
It is important to note that even though the system problems caused by Slammer and Blaster were truly considerable, they were only byproducts of the worms. The worms only tried to propagate: they were not intended to affect critical systems. The malware affected environments that had nothing to do with Windows: it was the massive network traffic caused by the worms that alone disrupted normal operations.
09/04/2010 12:04 PM
Another malicious application has been found from the Android Market. A game called Tap Snake isn't just a game, it turns out to be a client for a commercial spying application called GPS SPY.
The Tap Snake game looks like an average "Snake" clone. However, there are two hidden features. First, the game won't exit. Once installed, it runs in the background forever, and restarts automatically when you boot the phone. And secondly, every 15 minutes the game secretly reports the GPS location of the phone to a server.
GPS SPY is a simple mobile spying tool and only costs $4.99. When bought, the application advises you to download and install the "Tap Snake game" to the phone you want to spy on. During installation, the game is registered with a keycode to enable spying. This means that the spy has to have physical access to the phone he wants to spy on.
In many ways, GPS SPY / Tap Snake can be seen as a little brother of mobile spying tools like FlexiSPY. GPS SPY is developed by a Russian developer based in Texas, Mr. Max Lifshin ("Maxicom").
We expect Google to remove Tap Snake from Android Market soon.
Here's a video we shot, showing the gameplay of the Tap Snake game.
F-Secure Mobile Security 6 for Android protects Android handsets against GPS SPY and Tap Snake. The detection name is called Android.Tapsnake.
To install F-Secure Mobile Security to your phone, visit f-secure.mobi on your handset.
Updated to add: As we noted above, we fully expect that Google will pull Tap Snake from the Android Market. But it's also possible that they'll once again flip Android's kill switch and it will be interesting to see if Tap Snake meets Google's kill criteria.
Updated to add: GPS SPY and Tap Snake are no longer available in the Android Market.
09/04/2010 12:04 PM
Facebook's "People You May Know" feature appears to be using profile search history when making its recommendations.
I frequently search for spam related keywords, and today, two spam accounts were recommended to me.
Elma and Drema? I don't know anybody by those names…
Searching for the name "Elma Fewell" yielded a few doppelgängers. Checking incremental Facebook IDs yielded even more.
All of these spam accounts were created on Wednesday, August 11th.
I also found five Sueann Dehart accounts and a Janiece Duval. All of the profile pictures are of attractive young woman (and one of Kim Kardashian). Several of the photos appear to be of Ukrainian models, based on a reverse image search.
The profiles posted spam links such as these on the 12th:
• A deal you just can't refuse! • Check this out! • Do not pay for a new iphone 4, get one for free one for no cost! • I became tired of my old mobile phone and got an apple iphone 4 for free! • Incredible Offer Below • Just had to share this with you • Take advantage of this awesome deal! • Take advantage of this great deal! • Whoa, check this out everyone
The links lead to LiveJournal pages that display this iPhone 4 bait:
But then the "Click Here Now" button directs to another domain which, in Finland at least, gives the following message:
"Sorry, this offer is unavailable in your country. You are now being redirected to a similar offer that is available in your country."
And I was then directed to advertisements for "Bounty Bay Online" by Frogster games, a Berlin based game company.
One of my German colleagues has informed me that there's a game expo coming up soon, and that Frogster is promoting a free MMORPG. I think it unlikely that Frogster could be aware of just how their advertising budget is possibly being drained by these unscrupulous affiliate marketers via Facebook and LiveJournal. (Our German office will let them know…)
Abuse messages have been sent to the appropriate parties.
As for Facebook… thanks, but I really don't appreciate the recommendations. Perhaps Facebook should allow people to purge their search history from time to time? Or else they should retool their recommendation algorithm to weed out the fakes.
It's easy enough finding spam on my own — I don't need any extra help.
