While happily perusing Google malware alerts this morning, I managed to click on a poisoned URL.  The Vista computer that I use for alerts/surfing/chatting/social networking is not my main PC, but is obviously one that I have no desire to infect!

So as to not reinvent the wheel, I went to Norton Safeweb and got a fairly good description of what this threat entails:

This particular malware is a drive-by-download and HTTP Fake Scan Webpage.  It is not OK to click OK on the popup! You should immediately use task manager to end the browser session.  Next you should run an antivirus and anti-malware scan (Malwarebytes is a good choice.)

Trademytweets[SCAM]com is a new variation of the old Tweeterfast, Tweeterfollow theme. Recent domains that have operated under the same gray umbrella are gettwitterfollowersforfree.com and
SpreadMyTweets.com.

Trademytweets claims:

“How does it work? When you sign in with your Twitter details, our system will find you 20, 40, 60 or 100 other Tweeters. Then with these people it will begin to make them follow you as you follow them, instantly. “An eye for an eye.” This service will continue until you choose to stop it.”

Current keyword tweets:with approximately 10 tweets per minute involving numerous affected accounts.

“Want some Free Twitter Followers?”
“Just used TMT for some free followers”
“Get Free Twitter Followers!”

Update for March 30, 2010:
You have been using this shortened link since March 25, 2010 http://isDOTgd/aXDme on Twitter.
Here is one example account with much more than ONE tweet every 20 hours…

You certainly have great marketing skills.

Update 8:49 PM March 30, 2010

It appears that if one receives more tweets from this service than one tweet every 20 hours, they are logging into the site and requesting to add more followers.  The site is currently down at the moment.

Until Next time – stay safe online!

I’ve been following the Tweeterfollow musical domain saga since late September 2009.  The theme never changes.  I’ve also written about their scam/phishing/twitter account hijackings here.

Yesterday the Tweeterfollow (AKA: TF) domain push on Twitter was via Twtxtreme.info (currently disabled) using short url services tinyURL and retwt.me.  Today it looks like TF is promoting twtkingz.info via retwt.me and kiwi.url.  TF consistently uses IP: 124.217.246.188 but because TF switches domains frequently, they have not been blacklisted.

The web login page is always the same:

Description: A place to add more followers for your twitter page. This is a twitter adder site

Keywords: get more twitter followers, tweet, twitter network,twitter train, get more followers on twitter, twitter, tweeter, tweeteradder, tweeterfollow, deadlyx, rawhood, hoodzone, followers, train, vip, tweet

Logged in to the TF Web GUI

Once you are logged in to their website you will automatically follow all VIP members. Then you click  on Twitter profile random images [graphics from a3.twimg.com] to follow regular users [SIC].

Once you have clicked on all 20 default regular users profiles, the pop-up below appears:

Click on the OK button and 20 new profiles will reappear.  You can click all day long and into the night and you will still get the congratulatory pop-up each time you click the 20th profile.

You are also encouraged to purchase a VIP membership using PayPal or a credit card. The account that TF is currently using at PayPal is registered to ryann.johnson2009@gmail.com.

Ability to view protected tweets

Using http://isfollow.com/ I wanted to see if the locked accounts that I randomly followed through the TF API were following me.  The accounts listed below were not following me but I was able to view their PROTECTED TWEETS!

afrheyy
aliamutia
ibaddbxtch
IamHoodBarbie
ohannaweb

Since the above account is not following my test account I should not have been able to view IamHoodBarbies protected twitter stream. Obviously these Twitter profiles are all compromised accounts. A simple change of password is probably not the band-aid that should be used.

The Twitter filter managed to nab the “100 followers” string and filtered these tweets from the test account Twitter stream.  The test account is also not currently accruing a steady stream of profiles from Twtkingz[TOX]info API like it was yesterday.  During the past six hours the test account has only followed one protected account via the TF API.  The test account is still able to view protected tweets of accounts that are not following the test account.

Who is behind all this?

With all the emphasis on botnets, security breaches, and malware; In comparison, Tweeterfollow appears harmless.  Is it?

Domain ID:D30737265-LRMS
Domain Name: TWTKINGZ.INFO
Created On:10-Dec-2009 15:10:50 UTC

Last Updated On:10-Dec-2009 15:10:59 UT

There is something big going down on Twitter

Any website hosted at Piradius.net in Kuala Lumpur, Malaysia should immediately raise  a red flag.

Update:  12-15-09  8:13 pm EDT

Update:  12-16-09

Update:  12-17-09

Update:  12-22-09

Test account data:

December 18:
5 tweets Total

Timing:
2 tweets @8:08  pm from API
1 tweet  @9:54  pm from API
1 tweet  @9:55  pm from API
1 tweet  @10:25 pm from API

URL Breakdown:
3 tweets to twtfollow[TOX] info via ohurl.com
1 tweet to twtfollow[TOX] info via retwt.me
1 tweet = “This site just gave me 100 followers using” no URL

December 19:
9 tweets Total

Timing:
1 tweet   @6:09  am from API
1 tweet   @8:33  am from API
1 tweet   @2:10  pm from API
1 tweet   @4:34  pm from API
4 tweets  @7:09  pm from API
1 tweet   @10:10 pm from API

URL Breakdown:
1 tweet to youtube.com [generic]
1 tweet to twtspeedy[TOX] info [via retwt.me]
2 tweets to twtfollow[TOX] info [via Safe.mn = flagged as a "Dangerous website: Phishing/Malicious Content"]
2 tweets to twtspeedy[TOX] info [via TinyUrl]
1 tweet to twtfollow[TOX] info [kiwiurl.com]
1 tweet to twtfollow[TOX] info [via shorten.ws]
1 tweet to twtfollow[TOX] info [via snipr.com]

December 20:
15 tweets Total

Timing:
1 tweet   @12:34 am from API
1 tweet   @1:10  am from API
1 tweet   @6:11  am from API
1 tweet   @7:12  am from API
1 tweet   @8:34  am from API
2 tweets  @1:31  pm from API
2 tweets  @1:32  pm from API
1 tweet   @1:33  pm from API
1 tweet   @2:11  pm from API
1 tweet   @6:36  pm from API
1 tweet   @7:29  pm from API
1 tweet   @7:33  pm from API
1 tweet   @10:12 pm from API

URL Breakdown is getting spammy, so for the sake of brevity – here goes:
The shorl you requested has been disabled due to abuse. We’re sorry for the inconvenience.
lu.mu disabled
kiwiurl.com disabled
nvg8.it disabled
twtfollows {TOX] Info still online
twtlimit {TOX] Inf still online
retwt.me = .twtspeedy[TOX] info

December 21:
26 tweets Total

Currently pushing the following Toxic URLs:

twtfollows[TOX] info
twtlimit[TOX] info
twtspeedy[TOX] info

Stay Safe Online!

Last month Brian Krebs wrote an interesting and informative article about E-Banking on a Locked Down (Non-Microsoft) PC for business owners, and outlined a tutorial on how to accomplish security online.

“In past Live Online chats and blog posts, I’ve mentioned any [sic] easy way to temporarily convert a Windows PC into a Linux-based computer in order to ensure that your online banking credentials positively can’t be swiped by password-stealing malicious software. What follows is a brief tutorial on how to do that with Ubuntu, one of the more popular bootable Linux installations.” – Washington Post, Security Fix blog

Receiving strong reactions from his readers, Krebs posted a rebuttal titled E-Banking on a Locked Down PC, Part II.  He further demonstrated that the initial article was not directed at consumers, but at “small to mid-sized companies that may not have a full-time IT/security staff, and who rely on one or two people to handle their bank accounts and payroll online.”

Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit (NSW Police) uses two rules to protect himself from cybercriminals when banking online:   Never click on URLs to the banking site and  avoid Microsoft Windows.   — ITNews Great advice during the onslaught of  Zeus and the the Clampi Trojan…

Adrian Kingsley of ZDNet upped the malware  alert a few notches when he stated  “It’s time to ditch Windows for online banking and shopping. There, I’ve said it.”

You can have all the security preventatives lined up in a row and quacking, but you can’t protect ducklings that choose to cross the freeway during rush hour traffic.  Windows is currently the primary target of global malware authors.  Tomorrow it could be Linux.  Next week it could be Mac.  Any operating system that connects to the Internet and conducts financial transactions is fair game.  Since a larger % of Internet users employ the windows platform to do online banking, it is obvious that windows would be the operating system of choice for cyber-criminals to pursue today.

Recently I restricted online financial transaction access to one workstation and to specific websites on a standalone Ubuntu computer.

Read Part I: Intruder Defense – Become part of a Solid Internet Security Solution (SISS)

Until next time — Stay safe online!

The butterfly effect: “Small variations of the initial condition of a dynamical system may produce large variations in the long term behavior of the system.”

In the realm of Internet security, webmasters (hosting service providers) are pivotal in reducing the impact of compromised/malware-laden websites.  Once a compromised site becomes known to a webmaster (or hosting service provider) it should immediately be disconnected from the Internet.

As a webmaster (hosting services provider) you play an integral role in guarding the integrity of site code and maintaining upgrade compliance. One neglectful action on your part – such as failure to acknowledge a website vulnerability can seriously effect all site visitors.  An iframe exploit may seem small and insignificant at first, until a payload is dumped and eventually herds hundreds, or even thousands of innocent victims into the bowels of a stealthy botnet.

As a webmaster (hosting service provider) when using social networking sites such as Twitter and Facebook, you are also responsible for the health of your profile URL that links back to your website. If a social networking site filters your profile link, you should take the warning seriously.

Recently, I was astonished and alarmed by a website owner on Twitter.  She disguised her profile link with another domain that redirected visitors back to the initial infected domain.  She was able to trick Twitter filtering, but at what cost to website visitors?  Her reasoning for switching the URL was “yeah i thought maybe i could trick it but i guess not. i’ll have to remove the links for now.”  The new link was never removed from her profile, though her site was eventually cleaned up. How many people became infected during the interim trick?  Irresponsible actions, as noted above, are all too prevalent when it comes to taking social responsibility for compromised websites.

Are you smart enough to run a website?

Taking responsibility for Internet security is something that we all should be taking seriously. From home user levels to corporate user levels – there is no room for feigning technological stupidity.  If you are a small business owner and operating a company website, you need to become educated on how to properly secure and maintain your website.  If you are unable to take Internet security seriously, you will need to hire a professional.

Cyber-crooks are relentless in their pursuit of your money and “It’s all about the money,” according to Graham Cluley, senior technical consultant at Internet security firm Sophos. In the worst case scenario, your identity and your financial security can be severely compromised. –Source: Bill Mullins

Running a website is a huge responsibility and should not be taken lightly. Today, cybercrime rules the Internet highways. If you don’t know how to drive, park the car and get out now!

Being involved in computer security, I am amazed and frankly frustrated, at the lack of personal responsibly [SIC] exhibited by most typical computer users, and most importantly, the lack of commitment to acquiring the knowledge necessary to ensure personal safety on the Internet. In a word, becoming “educated”. –Source: Bill Mullins

The butterfly effect is here to stay.  Even the smallest of actions can severely impact all of us.  One malware link to a .cn domain could compromise one computer.  One computer then joins a botnet.  Next on the agenda — ten housand computers join a botnet.  Why?  Because the computers already house severe vulnerabilities.  As webmasters (hosting service providers) do not downplay your Internet security role as insignificant.

Steps that you can take to secure your website:

Kevin Roderick suggests Seven essential resources to help protect your website from technical attack:

1. Google’s Webmaster Tools
2. Google’s Safe Browsing Diagnostic Tool
3. Google’s Online Security Blog
4. Stop Badware’s Link Clearinghouse
5. Webmaster World
6. Matt Cutts’ Blog
7. Search Engine Land

Until next time — stay safe online!

Today I received a friendly little email purportedly from someone that had a question about my business, and who also wanted me to add them to my friends list from the supplied link in the email.  The email address that the sender used immediately raised a red warning flag because I currently use this particular email address specifically to monitor iffy stuff on the Internet. 

Analysis at ThreatExpert exposed some pretty serious threats:

There were five .js links on the Facebook landing page <REMOVED>

Canonical name: gateway02.websitewelcome.com -all IP’s consistent with that of a Mail Server.
Addresses:
69.41.248.84
69.56.142.20
69.56.159.20
69.56.170.20
69.56.176.20
69.56.184.20
69.56.212.20
69.56.216.20
69.56.224.20
69.56.236.20
69.93.106.20
69.93.115.20
69.93.126.20
69.93.136.20
69.93.139.20
74.52.222.226
67.18.36.20
67.18.53.20
67.18.62.20
67.18.65.20
67.18.66.20
67.18.80.20
67.18.81.20
69.41.242.20
69.41.247.20
69.41.248.20

That is about all I know for today!  If any security expert needs more info – just ask!

Update:  10-22-2009 7:05 PM

Until Next time — one-off, security terrior here, and I never let go of a bad guy (wink)

The dark side of the Internet is darker than it has ever been at any point in history .  Economic downturns tend to breed new tactics, and cybercriminal organizations now have the knowledge, tools, and capability to directly impact global financial systems.  Everyone needs to become part of a Solid Internet Security Solution by making a concerted effort to proactively protect data, whether on an individual computer or a corporate network.

The use of  Microsoft’s operating system leaves you vulnerable to possible infections and reinfections if your system is not patched.  Security software can’t update definitions if the threat is under-reported and still in-the-wild.If you use a security suite that includes an anti-virus, anti-spyware, firewall, privacy/parental/phishing controls, — you are not protected against ALL Internet threats.

“Few will have the greatness to bend history itself; but each of us can work to change a small portion of events, and in the total of all those acts will be written the history of this generation.”  — Robert F. Kennedy

Before connecting to the Internet you should make sure that your computer is safe to surf  the Internet via a layered approach.  Aside from using a good anti-virus suite you should also use browser security add-ons such as Finjan Secure Browsing, McAfee SiteAdvisor 2.9, and W.O.T. If you frequent social networking sites, you should become familiar with current security threats and take precautions seriously in order to avoid becoming infected.  If you constantly connect to sites via shortened URLs, download and install AVG free LinkScanner, ( a free security tool that can detect malicious pages.)

If you use Twitter, download and install Immunet Protect:  “The solution is clever. It leverages the idea of safety in numbers. Every time someone in the Immunet Protect network encounters a virus, the threat is identified, logged, and blocked on a centralized server platform. Instantaneously, because of the way Immunet works, everyone in the network can be protected from that identified virus.”   –venturebeat.com

More recommended security tools to add to your arsenal

Secunia Software Inspector

Be sure to check your computer system and application software with Secunia Software Inspector as part of your regular security maintenance routine.

Secunia Software Inspector will detect vulnerable applications and provide you with the link to the update site.  After you update your operating system or  application software, be sure to re-scan to validate that the vulnerabilities have been corrected.

The Adobe Reader 9.x example screenshot listed below includes the application that is vulnerable, current version, and the version that you should update to in order to correct the problem.

If you want even better security update advice for your computer system(s) then you should use:

Home User,  Personal Desktop:

Business User:

If you don’t have a regular security maintenance routine,  be sure to stay tuned to this blog and I should have one available for download by the end of this month. If I forget about it, please tweet me up @teksquisite.

Trend Micro: RUBotted

The next uber cool security tool that I highly recommend is RUBotted: an anti-botnet detection tool from Trend Micro that sits silently in your desktop tray, while watching for incoming botnet activity.  RUBotted co-exists comfortably with current AV software.

Update [10-18-2009]: This tool could use a bit of tweaking to give more information than “Detected DNS query of malicious domain.”  (It would be nice to get the domain name and IP number too.)  RUBotted only has one solution available, and that is to go toTrend Micro’s Housecall site to get it cleaned. The solution may become part of the problem for this particular tool, as more Internet security sites become blocked by malware.

“RUBotted monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.” –Trend Micro

This tool is a worthwhile tool to include in your security toolbox…

Using a “layered approach” is the suggested method to better secure your system(s).  It is a dog-eat-dog Internet when we are dealing with the $$$ bad boys from the dark side over yonder.  Being part of a “Solid Internet Security Solution” or SISS,  is the ability to take responsibility for policing your own Internet security FIRST.

On a holistic level, what goes around comes around — don’t share your viruses or botnet connections with other Internet users.  Stay tuned for Part II of Intruder Defense SISS in November!  Comments are welcome at this blog

I will close with my new Twitter #FF recommendation signature gratis Rik Ferguson, Senior Security Advisor at Trend Micro:

Until Next time — one-off, security terrior here, and I never let go of a bad guy (wink)

Comcast

Comcast Corp, a U.S. high-speed Internet service provider recently released a ‘pop-up, in-browser automated alert service’ known as “Constant Guard.“   The trial system (currently available in Denver, Colorado) warns customers of potential virus infection, if their computer behaves as though it has been compromised by malware.  Aside from the automated alert, the customer will also receive email verification of the alert at their primary Comcast email account.

The alerts are triggered “when we see computers on our network that are doing things that are known bot activities–say, a computer is spewing out thousands of spam e-mails,” said Jay Opperman, senior director of security and privacy at Comcast. — cnet news

“As the nation’s largest residential Internet service provider, our goal is to provide a safe and secure Internet experience for our customers,” said Mitch Bowling, senior vice president and general manager of online services at Comcast. “The Constant Guard Security Program is the result of many years of working to assemble the right people, technologies and resources to help ensure our customers are protected from hackers and bots in real time.” –PR-Inside.com

Comcast customers currently have free access to McAfee Internet security software.  Overall, Comcast Corp is a major ISP leader and shining example of how an Internet Service Provider (ISP) can be supportive of Internet security initiatives, embrace social responsibility at the gateway, and stay proactive in the continuous fight against cybercrime.

Comcast has been ranked as one of the TOP 5 ISPs in Shadowserver.orgs Hall Of Fame “for going the extra mile in helping us rid the world of malware.”

ISPs in General

During a keynote presentation at the Virus Bulletin conference 2009, Head of Google’s anti-malvertising team,  Eric Davis, wanted ISPs to become more proactive in their approach in dealing with malware-infested computers on their networks.

“The ISPs are in the best position to detected [SIC] infected machines. They’re in the best place to do something about malware.  They already have monitoring systems that could be used to identify signs of malware and botnet activity…However, because ISPs have no monetary incentive to notify and help disinfect machines, the botnets live and thrive within ISP networks.”

Eric also recommended ISPs use the Australia Internet Security Initiative (AISI) as a model to fight malware.  The AISI group mandates minimum customer security levels and isolate infected machines into “walled gardens” until the malicious software is removed. Clap, clap, bravo Eric!

Finjan’s Malicious Code Research Center (MCRC) research reveals that malware is installed on computers when visiting compromised websites serving malicious code. Cough. Hey Twitter. Let’s not suspend the account of a prominent  researcher who helps thwart botnets and malware, why not just suspend the account of @softwaregenius who pushes malware urls to MALWAREREMOVALBOT?

“The sophistication of the malware and the staggering amount of infected computers proves that cybergangs are raising the bar,” said Yuval Ben-Itzhak, CTO of Finjan. “As big money drives today’s cybercrime activities, organizations and corporations need to protect their valuable data to prevent theft by these kind of sophisticated cyberattacks.” –PR Hub

Pekka Andelin, a Malware Analyst at Lavasoft asked this question earlier this year: “Should Internet Service Providers (ISPs) supply their customers with an Internet connection over a network feed that is clean from illegal Web content and malware – programs that could cause network lag, compromise system security and threaten user privacy? — ISP Level Malware Filtering, An Extended Clean Feed?

Pekka used the analogy of how a water company has to make sure that the water they provide via pipes is “uncontaminated and flows securely all the way to their customers’ water taps.”

Conclusion

Comcast, walled gardens, and water pipes, oh my!  What do they all have in common?  They are all a part of  the anti-botnet cornerstone that is pivotal in securing the foundation of our financial systems .  The Internet can no longer be stymied within the context of wild, wild west discourses.  Globally, there is too much at stake.  The old Internet is no more.

We now sit on the verge of a SUPER Internet that has the potential to bring down our financial systems worldwide.  Every time we get one step ahead of the bad guys, they reinvent, they morph, and they grow bigger. We have to learn to grow bigger too.  We must learn to embrace  social responsibility. In order to keep the new Internet safe, we have to let go of me, Me ME and work toward the good of the whole.

Until next time — Stay safe online!

Update: 10/06/2009

Though this was not an obvious phishing campaign that takes your money, McAfee Site Advisor Rating:

Phishing or other scams

This site uses your Twitter account info to send spammy messages to your followers. Here is an example:
“I got 100 followers using http://TwitPWR.com/swf/ . Check it out!”

This is a clear case identity theft. I advise you to not fill your twitter username and password in this site.
Posted at 09/23/2009-08:49:43 PM by Alexis Kauffmann

Ryan Johnson is currently running another spam campaign on Twitter via Followersquick<>info [IP:124.217.246.188] .

Toxic URLs on Twitter can get me fired up faster than any other social networking site.  I think it is because the time it takes for Twitter to notice that there is a problem, and then for Twitter to act on it —  leaves a huge security hole and enables the bad guys to maximize and control the dark side of Twitter.

I’ve been watching the dark side of Twitter for over 7 months now, and there is a lot of malware stories that do not unfold at my blog.  There are also security experts outside of Twitter who follow up and have become just as frustrated with Twitter Internet security as I have become.

For the record, I am highly vocal about the fact that I think Twitter has a social obligation to the Internet community as a whole.   I think that they need to act upon social networking threats that transpire at their site immediately, and to have a rapid response system in place to confirm or deny the validity of reported offenses and offenders.

Current keyword culprits that have gone viral are [note that all are posted via API abuse]:

“This site just gave me 100 followers using hxxp://xrl<>us/bfosj8″

“I just got 100 followers using hxxp://TwitPWR<>com/swb/”

“I got 100 followers using http://is<>gd/3BP6e Go check it out”

“This site is great I got 100 followers in a day using hxxp://twi<>cc/Bjry”

“Hey Get 100 followers a day using xxtp://yumurl<>com/9yPYKZ.  Its super fast!”

“You should check this site out if you want 100 followers a day” hxxp://tinyurl<>com/n3oeal

“If you want 100 followers a day use” hxxp://alturl<>com/kdqj

“I use hxxp://TwitPWR<>com/swg/ to get 100 followers a day. It work great”

“If you trying to get more followers go to hxxp://shorten<>ws/bee0c2.You will get 100 followers fast!”

tweeterfast<>com Originates from IP: 124.217.246.188.

tweeterfast<>com
tweeteradder<>com
www.tweeteradder<>com
www.tweeterfollow<>com
www.tweeterpro<>com

tweeterfast<>com has a 301 from quick-followers<>com

Whois Information for tweeterfast.com

Registar ENOM, INC.
Registration Data:
Registered on 2009-09-23
Last updated on 2009-09-23
Expires on 2010-09-23

Nameservers:
ns1.tweeterfollow.com: 124.217.246.188
ns2.tweeterfollow.com: (DOES NOT EXIST)

Owner:
Admin:
Tech:
ryanjohnson2007hotmail.com
Ryan Johnson
+1.4103563433
+1.5555555555
Deadly Is Great
1533 Blue St.
Baltimore, Maryland 21217
US

Current nameservers are listed under tweeterfollow<>com. Check out this interesting archived page.
Rest assured that before this campaign is done — TWEETERFAST will give you more than 100 followers…

Don’t forget to check out their rules. When you sign up for an account at Tweeterfast, you are giving them the login and password to your account to further promote their site and your Twitter account will be hijacked.

Stay tuned for continued updates on Twitter as they become available.

Until next time — Stay Safe Online!

This morning I received an IM from someone concerned about a pop-up ad he had received from reading a post at the New York Times.  He could not remember the exact NYT article, but he did remember the advertisement attempting to download something to his computer.  This wasn’t just any pop-up ad either, this ad contained a redirect link to  malware hosted at protection-check07<>com.

After performing a few Google searches I posted this tweet at Twitter this morning [9:30 am EDT]:

Then at 12:54 pm EDT, The New York Times, @nytimes on twitter posted:

At 2:19 pm EDT an editor at The New York Times @palaro on Twitter  posted:

Note to Readers – NYTimes.com

At 2:49 pm EDT Jen Preston , Social-Media Editor for The New York Times, (@NYT_JenPreston on twitter) posted:

Steven Musil from Cnet stated in article New York Times site battles rogue ad:

The New York Times Web site is grappling with problems created by “an unauthorized advertisement,” but it is unknown how the ads appeared on the site and whether the Web site had been compromised.

These ads are capable of quickly switching IPs with a base originating at clients.your-server.de

09/13/09 15:06:56 dns http://protection-check07.com/1/
Canonical name: protection-check07<>com, best-antivirus3<>com
Addresses:
94.102.51.26
88.198.107.25
91.212.107.5

Whois details
Domain IP(s):     Reverse:
88.198.120.177    static.88-198-120-177.clients.your-server.de
83.133.126.155    t529.1paket.com
91.212.107.5    91.212.107.5
188.40.61.236    static.236.61.40.188.clients.your-server.de

Check for complete details regarding the listed domains at malwareurl.com.

I will post more details here as information becomes available!

Home Delivery: The New York Times Serves Up Some Malware

“Here’s a front page story the New York Times (NYT) would rather not be running: The paper is warning readers to be aware of  bogus ads running on its Web site.”  –Peter Kafka | @pkafka on Twitter

Rogue NYTimes.com ad leads to fake anti-Virus

“What is known so far is that the Rogue anti-Virus attack came from the advertisements served on NYTimes.com. There was no pattern to the anti-Virus warnings, which appeared as an article was loaded.” –Steve Ragan

Late Update

I was served malware ad on @nytimes/nytimes.com (“the ad”). Here’s forensics and source: http://bit.ly/nytmalware # 11 mins ago. Follow @troyd

New York Times warns readers of website virus

Times Web Ads Show Security Breach

“OVER the weekend, some visitors to the Web site of The New York Times received a nasty surprise. An unknown person or group sneaked a rogue advertisement onto the site’s pages.” –ASHLEE VANCE

Until Next Time — Stay Safe Online!

Not much is happening on twitter this morning. I’ve just been casually observing nine twitter bots running “how to hack” scripts.  All bots were born on Monday, September 7, 2009 and have a mean tweet score of 2464.

I have placed current Twitter bots in in alphabetical order:

dailychin Joined: Mon 07 Sep 2009 14:15
Following: 0
Followers: 119
Updates: 2876

giiive Joined: Mon 07 Sep 2009 14:19
Following: 0
Followers: 62
Updates: 1384

martinse7en Joined: Mon 07 Sep 2009 14:12
Following: 0
Followers: 106
Updates: 2874

marydelakoko Joined: Mon 07 Sep 2009 13:52
Following: 0
Followers: 117
Updates: 2799

mrdeeegle Joined: Mon 07 Sep 2009 13:46
Following: 0
Followers: 67
Updates: 1441

newketket Joined: Mon 07 Sep 2009  14:08
Following: 0
Followers: 111
Updates: 2905

perrynelly Joined: Mon 07 Sep 2009 14:05
Following: 0
Followers: 111
Updates: 2481

razerdemo Joined: Mon 07 Sep 2009 13:56
Following: 0
Followers: 96

Updates: 254
rebewhite Joined: Mon 07 Sep 2009 13:49
Following: 0
Followers: 118
Updates: 2873

Originating from Russia, this site is engaged in the distribution of malware.  Some links connect to a fake flash player update from hxxp://exonlinebox.com/flash-plugin_update.45019.exe.  This site has been blacklisted.

Until next time — Stay safe online!

Listed below are account profiles guilty of promoting  rogue malware scam RegistryEasy on Twitter:

1world4
bestelectronix
bgoebel2
collin_creev
createwealthx
DaNetbookGuy
dmiddleton2
dwes456
dmiddleton2
dougsanders19
franzidee
guruassassin
johntukel
lelkins2
mw45
post_free_ad
registreasy
ronnie_ward
samfrankles
tommuecke

On July 25, 2009 Rik Ferguson wrote an informative article in his Trend Micro Blog about Registry Easy:  New Malicious tweet run on Twitter

Ironically, Registry Easy malware pushers are still allowed to scam Twitter users and people still pay $$$’s for a program that pays affiliates up to 75% profit.  The company site does not list a physical address, but doing a whois lookup the company is listed as:

Qiwang Computer Ltd
Luo Gang (business@registryeasy.com)
+86.7713219660
Fax: +86.
Keyuan Dadao Kechuang Dasha 626
Nanning, Guangxi 530003
CN

Registry Easy also produces fabulous reviews of its product online at such sites as  PCRegistryReport.com This particular review site is hidden behind the anonymity and privacy of WhoisGuard.

Adding convincing graphics to the review site:

With no obvious professional credentials, they also market the concept that these companies endorse their product.

About Registry Easy™ and RegistryEasy.com Last Updated Feb. 19, 2009

Since we start as a system utility company, RegistryEasy.com and its associates have always committed to delivering excellent products for PC tools, data recovery, computer security and OEM solutions for industrial uses. Our company has been dedicated in the development of professional system utilities for Windows users.

Until Next Time — Stay Safe Online!

If you can’t keep your WINDOWS computer and application software patched and updated, and your computer protected via updated anti-virus/anti-malware/anti-spyware, and FIREWALLED — DO NOT USE THE WINDOWS OPERATING SYSTEM. Please do not allow your computer to become an open relay for malware!

Draconian Interception

For just a moment, compare running your computer on the internet to those of safe driving habits.  Would you want a semi-truck driver flush behind you, operating with bad brakes on a steep mountain incline?   Think about it.

Driving a vehicle mandates that your vehicle pass a State safety inspection, proving that your vehicle does meet minimum standards for safe operation on public streets and highways.  I’m of the mindset that safe computing should be mandatory in order to connect your computer to the internet.

If all ISPs (Internet Service Providers) monitored every computer connecting to the internet for characteristics common to a potentially infected machine, and disconnected that machine from the internet until basic safety measures were installed and updated, we would not be experiencing such high degrees of cybercrime as is prevalent on a global basis today.

What you should do if you’re Machine Becomes Infected?

Once you discover that you have something bad on your computer, the first thing that you should do is DISCONNECT from the Internet IMMEDIATELY.  As a good netCitizen, I am sure that you don’t want to be pushing your malware down to the rest of us.

If you don’t know the first thing about using another resource (such as the library or friends computer) to download anti-malware tools then you need to hire a computer professional to do this.  Just as you would hire a mechanic to install new brakes on your vehicle, in order to pass the state safety inspection; you would hire a computer professional to deal with getting computer woes repaired, so that you can safely operate on the Internet highway.

Tools that you should have available to discover and clean nasties

First, install and run HijackThis[HJT] to scan your computer to find settings changed by spyware, malware or other unwanted programs. Analyze the logfile at Networktechs.  It is smart to be armed with the knowledge of what type of malware you will be dealing with. Many times you will have more than one type of malware present in your operating system.

Next, run these tools in the following order:

#1 Malwarebytes (MBAM). [Free] A site dedicated to fighting malware.  Run both the short and the long scan.
#2 SUPERAntiSpyware. [Free] A next generation company which specializes in anti-spyware technology.
#3 Rootkit Revealer v1.71

But I can’t run any of the anti-malware tools listed above!

You may need some of the tools listed below to figure out what processes are sabotaging your clean-up efforts:

SysInternals is a free program that controls auto-started programs.

SysInternals Process Explorer v11.33

SysInternals TCPView for Windows v2.54

Foundstone Intrusion Detection Tools [FREE]

Use Windows Task Manager to find:

• Random character file names
• High CPU usage
• Known legitimate services misspelled (example: svchost as scvhost)

Malware can hide just about anywhere!  It can replace .dll files, hide in the system32 folder, be disguised as a windows service, hang out in your user profile temp directory, or even in the default profile directory.  I recently found malware hidden in the program files folder itself, in a sub-directory of a legitimate software application!

If all the malware locations listed above are not enough to piss you off, malware can also load in the registry and even load while in safe mode!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

Other helper tools:

CCleaner is a freeware system optimization, privacy and cleaning tool.

Secunia Software Inspector. Checks to see that all installed software is fully patched and up-to-date

Are you guilty of clicking on short URLs or disguised email links without batting an eyelash?

I personally stay on the good side of paranoia when it comes to clicking on short urls or email links. I check the source of what I consider iffy in email, and scan site urls with Sam Spade or Unmask Parasites or will even wget a site page if I happen to be in that particular environment.

Browsers AND security

Upgrade to Internet Explorer 8 or

Download Firefox and install the following add-ons:

Finjan Secure Browsing 1.314 – Secure Browsing by Finjan
McAfee SiteAdvisor 2.9
W.O.T. 20090414 – Web of Trust
Link Extend 1.5.2 – Gives you all the information for any website you are visiting
Go ahead and Install Additional layers of security…

Download Threatfire 3

“ThreatFire 3′s ability to block installation of malware strictly by identifying bad behavior is phenomenal. It did a better (and faster) job than Norton AntiBot and even beat out Spy Sweeper, our current Editors’ Choice for signature-based anti-spyware. This free tool is an excellent addition to your security arsenal.” –PC Magazine

Download Immunet Protect (get with the cloud!)

Immunet Protect gathers strength daily as the Immunet Community grows and best of all its FREE. Already have Antivirus? Even better, install Immunet Protect alongside your existing product, and it will make the Immunet community even stronger.

So you want freedom from Big Brother?

It is the nature of the freedom beast within to want to be free from Internet control.  But for the good of the entire Internet community we need to deal with this issue of global Internet security now.  Think about what our banking systems and global economy would be like if the bad guys controlled it. Truth spoken, you have to give up a certain amount of personal freedom in order to maintain social freedom.

I do not personally want or desire to see the government controlling our Internet highway. I would not want to rename our beautiful country ChiAmerica…I strongly believe that we can begin to get a grip on botnets and malware if we hold ISP’s responsible for monitoring their networks for malware and all suspicious activities. The ISP should cut off all computers displaying suspicious activities from the Internet, until that particular node is safe to return to online status.  We practice security with private and corporate networks, why would an ISP be considered any different when it comes to best security practices?

There will always be new hooks for malware distribution and myriad innovative stealth methods that cyber-criminals employ to gain access to legitimate computer systems.  As long as we continue to fight the good fight and keep our Windows systems current, we can all rest assured that we are contributing to a healthy Internet and not opening up a back door to further global economic collapse.
Until Next Time — Stay Safe Online!

Update for July 3, 2010: Are you aware that Registry Easy Rogueware still operates under the following scam accounts on Twitter?

Registry Easy™ posing as @pcclean

Registry Easy posing as @registryeasy__

Until Next Time – Stay Safe Online!

Update for July 3, 2010: Malware Removal Bot is currently being promoted by @cbkidsoftware on Twitter.

——————

Malwareremovalbot is a malicious and ROGUE anti-spyware application.  Malwareremovalbot is not designed to resolve registry, spyware, or malware woes.  Though you can download this malicious Rogueware from what appears to be a legitimate site, it is anything BUT a legitimate site!  Once you have downloaded the trial and installed it, this particular rogueware will bombard you with fake pop-ups insisting that you purchase the full version of their product in order to remove myriad security alerts and overzealous pop-ups  .  The threats detailed in this rogue application are quite dramatic, but entirely false.  It is merely social engineering enlisted to prey upon your fears and to rip you off financially. 

You can also find Malwareremovalbot  on social networking sites such as Twitter, and in sponsored ads at Google and  Bing

@evilfingers (twitter) stated at his blog in Campaign scareware propagation MalwareRemovalBot

“Registering multiple domains on a single IP address, is one of the methodologies used for the propagation of scareware programs because it allows a consistent positioning web unethical by the way, expanding the horizon of possibilities that a desperate user reaches web that promises, through its false product, its magical way of solving problems or implement a so-called security layer to your computer to potential infections.” [Be sure to go to evilfingers blog to read the rest of this article.]

At the List of Known Malicious Sites /Rogue Software, a very hearty warning appears:  “These programs and related sites are so dangerous that I have specifically  ensured that readers CANNOT click any links and be redirected to them. This has been done for your safety.”

Recent Tweets from Twitter about malwarereovalbot:

@garyscrook  hXXp://twitter.com/garyscrook
http://adslurper.malremov…MalwareRemovalBot Malware Removal Tool. Designed Specificlly For Malware Related.

MalwareRemovalBot Malware Removal Tool. hXXp://bit.ly/CAzot
hXXp://www.malwareremovalbot<>com/?hop=cmedaily

IP for malwareremovalbot.com [August 2009]
Canonical name: 2.a9.354a.static.theplanet.com
Addresses:
74.53.169.2

Some other sites hosted on the same server:

adwarefree<>com
affiliates.adwarefree<>com
affiliates.malwareremovalbot<>com
affiliates.registryfox<>com
malwareremovalbot<>com
registryfox<>com
winregpro.com
www.malwareremovalbot<>com
www.registryfox<>com

Look at all the affiliate subdomains!

Lo and behold! An entirely AWESOME press release posted on July 20, 2009. Then we end up at
hXXp://malwareremovalbot<>repairandsecure.com IP: 74.52.151.178

Then wget exposes hXXp://www2.repairandsecure<>com/ and McAfee Site Advisor confirms that the site  promotes Rogue Software.

Mcafee siteadvisor has some interesting reviews…

“None of these “companies” offer legitimate products. They are part of an affiliate marketing machine, whose spread has been enabled by the web. Thanks to the web, anyone, anywhere, can promote a scam. These crapware promoters share common characteristics that make it easy to separate them from legitimate developers of software, including:

• Their domain registration is hidden or fabricated
• Unsubstantiated claims like “award-winning”
• A total lack of credible CONTACT information
• Promotion of the same software on numerous clone sites
• The use of bogus testimonials by their affiliates on SiteAdvisor and C|Net
• Encouraging affiliates to relentlessly promote the software, resulting in numerous bogus “review” web sites like this one.”  –Dean, McAfee Experienced Reviewer

hXXp://www2.repairandsecure<>com/ claims to be a Microsoft Gold Certified Partner
Repair & Secure endorses: Cyber Security Alliance (CSA) & Stay Safe Online (SSO)
Rogue scareware ENDORSES CSA and SSO – I’m so impressed!

From the malwareremovalbot web site:

Affiliates paid 75%

The Malwareremovalbot FAKE Press Release:

“Malware Removal BOT software provides dynamic protection for any PC. Once installed, it protects a computer by finding and removing Malware on the spot. Then, thanks to Malware Removal BOT’s automatic update feature, user’ computer is protected from future…”

And at the end of they are still:

Is Google & Bing helping Antispyware LLC to push rogueware?  Is Microsoft a GOLD partner?  Do affiliates really earn 75%?

Would you want this guy to manage your IT department?

Until Next time – Stay Safe!

Earlier today I discovered quite a few poisoned links in a user profile @twitter- 16 URLs to be exact, and every one of them included “Trojan-Downloader.JS.Iframe.atl.”  So I hash-tagged my discovery to #spam and #malware.  Then I performed a twitter search under #malware to make sure that the information about this serious exploit in this particular twitter profile would be acknowledged by twitter.

No tweets from @teksquisite were included in the initial twitter search that i performed,  nor under the hash tag of #malware, or #spam.  It was at this point in the time-line that I noted something was quite amiss!  It was very odd that there was no teksquisite posts under #malware search (which happens to be my # of expertise.)

So what do you do if you become twitter-search-banned for posting information about twitter malware links or you have posted duplicate links (due to tweetdeck choking?)  Try to find the support link over at twitter help – it is not very intuitive but I was finally able to post a request.

Currently waiting for an answer…

Update July 7, 2009 6:55 pm

I finally got back in the twitter time-line.  Long story and not enough time here to write it all out.  Suffice it to say that it took a lot of work to figure it out.

Update February 28, 2010

Open up a Twitter Support Ticket here: http://twitter.zendesk.com/requests/new

If Protection System somehow downloads itself to your computer (via a Trojan or bad URL), do not purchase this program!  It is just another piece of malicious malware, posing as scareware in an attempt to coerce you into purchasing the full version of their product.

Once this rogue program is installed on your computer, it will load at start up and perform numerous false scans.  It will also bombard you with security warnings, system alerts, and BUY ME TO UNBLOCK FULL VERSION nag screens.  If you fall prey to purchasing this partiular nasty — it will do nothing but bloat your operating system, try to uninstall current legitimate malware removers such as Malwarebytes, and make your computer run noticeably slower.

To get rid of Protection System cruise over to the Remove Protection System (Uninstall Guide)  at Bleepingcomputer.com.  You will also need to download and install Malwarebytes’ Anti-Malware

Until next time – stay safe!

Antivirus System Pro is a malicious fake anti-spyware program downloaded to your computer via a hoax website or infection via a Trojan horse. This program will generate exaggerated fake security alerts and display highly annoying bogus pop-up messages, and will also hijack your browser.

Frequent false security scans will attempt to convince you that your computer has infections that cannot be removed unless you download a full version of Antivirus System PRO.  Don’t be duped into downloading this POS malware…

You do not need to download any pay-for-anti-malware removal aids to rid your system of this particular nasty. Simply download 100% effective Malwarebytes [FREE] and follow the Geek Police Removal Guide instructions here.

I recently installed Avast FREE antivirus software developed by ALWIL Software a.s. based in Prague, Czech Republic on my home laptop.  While googling today I was warned verbally by Avast about a dangerous scripted link that I had just clicked on.  Fortunately I avoided downloading an internet virus by clicking on the abort connection button in the Avast warning popup.

There is no reason why anyone should be without virus and malware protection today.  There are many different options available to protect your computer.  For the home user, an anti-virus solution such as Avast Home Edition Free  is available for Microsoft, Linux, and Mac users.

Happy Surfing!