Tekblog

Google ALERT poisoned URL

Teksquisite — Sun, 07 Mar 2010 15:17:41 +0000

While happily perusing Google malware alerts this morning, I managed to click on a poisoned URL. The Vista computer that I use for alerts/surfing/chatting/social networking is not my main PC, but is obviously one that I have no desire to infect!

So as to not reinvent the wheel, I went to Norton Safeweb and got a fairly good description of what this threat entails:

This particular malware is a drive-by-download and HTTP Fake Scan Webpage. It is not OK to click OK on the popup! You should immediately use task manager to end the browser session. Next you should run an antivirus and anti-malware scan (Malwarebytes is a good choice.)

This is a short-n-sweet! Until next time — stay safe online!

TrademytweetsDOTcom – just another Twitter Scam!

Teksquisite — Mon, 22 Feb 2010 02:55:23 +0000

Trademytweets[SCAM]com is a new variation of the old Tweeterfast, Tweeterfollow theme. Recent domains that have operated under the same gray umbrella are gettwitterfollowersforfree.com and
SpreadMyTweets.com.

Trademytweets claims:

“How does it work? When you sign in with your Twitter details, our system will find you 20, 40, 60 or 100 other Tweeters. Then with these people it will begin to make them follow you as you follow them, instantly. “An eye for an eye.” This service will continue until you choose to stop it.”

Current keyword tweets:with approximately 10 tweets per minute involving numerous affected accounts.

“Want some Free Twitter Followers?”
“Just used TMT for some free followers”
“Get Free Twitter Followers!”

Until Next time – stay safe online!

A quick and dirty on vigilante hackers

Teksquisite — Tue, 16 Feb 2010 22:34:15 +0000

Psychological harassment, obstruction of justice, and misuse of Internet technologies is clearly breaking the law.

For those of us who are involved in the realm of information security, it is a sad time indeed to see the control that some vigilante hackers have over the Internet.

Some of these cyber-criminals are not at all who they portray themselves to be. If you tear down their core belief system, vigilante hacker intentions are rarely focused on the good of society as a whole, and almost always seeking some form of self-gratification in the realm of fame and glory.

Would you really support a child who is having a major temper tantrum with rewards of praise for such actions? Or would you teach that child how to utilize appropriate coping skills so that she/he could become a better family member, friend and neighbor.

This is a short-n-sweet! Until next time — stay safe online!

Spam Spam (What It Do)

Teksquisite — Thu, 11 Feb 2010 19:43:44 +0000

Disclaimer: This blog post is in relation to my collection of spam. I am not a spam expert.

The past few weeks have elicited all manner of spam at Teksquisite, and also at Gmail and Yahoo accounts. Spammers often collect email addresses from customer lists, chatrooms, email chain letters, forums, newsgroups, websites, and viruses. Current email accounts that are receiving spam have connections to prior chain mails, forums, and newsgroups. Spam or junk email is almost always unsolicited and unwanted.

“Increasingly, e-mail spam today is sent via “zombie networks”, networks of virus- or worm-infected personal computers in homes and offices around the globe; many modern worms install a backdoor which allows the spammer access to the computer and use it for malicious purposes. This complicates attempts to control the spread of spam, as in many cases the spam doesn’t even originate from the spammer.” –Wikipedia

Most common email spam:

Chain mail – Gordon Brown Hoax
Trojans – botnets, bredolab, Pushdo
Phishing – Please log into your financial account and confirm
You are a winner – congratulations, lotteries
Offers – Viagra, educational, OEM software
Personals – find true love here
Scam news – generally will contain a link to malware

With an increase in botnet-related spam (mainly Bredolab,) a sharp rise in educational and pharmaceutical/medical spam, and definitely far more activity in the arena of phishing spam regarding financial accounts – you really should pay close attention to what lands in your inbox, because Trojans in the form of zipped files do not always end up in your spam folder.

I find it inconceivable, and somewhat disturbing that I collected almost 900 spam emails last week. This is quite a jump in spam, considering, that during the first week of January spam for all accounts leveled slightly below 300.

Over the past three weeks I have seen a sharp rise in UPS Postal Support email that always contains an attachment “invoice” that is spoofed from some.address@ups.com with signatures such as:
Postal Support RANDOM NAME
UPS Manager, RANDOMNAME

The attachment currently arrives as a ZIP file:

My advice to you is to KEEP IT ZIPPED AND DELETE IT!

Spam Examples

Chain Mail: Gordon Brown Virus

Chain mail claiming that if you receive a picture of British Prime Minister, Gordon Brown smiling, your computer will become infected with a virus.

You can read more about this hoax over at Graham Cluley’s Blog.

Trojans: Trojan.Downloader, Bredolab, Pushdo, Zeus [botnets]

Once the zip file is extracted, an exe file (disguised as an Excel file) downloads Pushdo (a malacious bredolab downloader.) In an article at cnet News, Joe Stewart, director of malware research at SecureWorks stated:

“Pushdo downloads different Trojans onto infected machines and has been used to send spam as part of the Cutwail spambot…”It’s a typical pay-per-install system,” used to distribute banking Trojans, password stealers, ad clickers, and search hijackers”

“For those unfamiliar, Bredolab is a simplified botnet – a loader which simply connects to a remote server to report and receive files to download/execute. Apart from rogue antivirus software (”scareware”), Bredolab’s other favorite download is Pushdo.” –Fortinet

Since Pushdo is not written to disk and is memory resident, botnet owners frequently change the code and behaviors of Pushdo, which further makes it difficult to classify variants over time. What I have posted here today, may not be applicable tomorrow!

For a better understanding of Bredolab see You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence by David Sancho, Senior Threat Researcher at Trend Micro.

Phishing – Please log into your account

This type of spam requests that you verify your account via a spoofed link where your personal details will be captured for the phishers
HSBC Bank will never send an email asking you to verify details.
There are all types of variations in these spoofed emails. If you receive e-mail claiming to be from HSBC, call HSBC at 1-800-975-4722. Follow the instructions regarding fraudulent email here.

You are a winner – congratulations, lotteries

Never reply to this type of email because you will end up on a global spammer list. Delete it.

Offers: OEM Software (Original Equipment Manufacturer)

OEM software is NOT FOR RESALE (NFR) and always includes licensing along these lines: “For distribution with a new personal computer only. This software may not be sold independently.” OEM software must be sold with hardware.

Some spam email often links to ebay where you can purchase OEM software. The seller appears compliant with the hardware requirement by advertising to remove hardware from the original system (or so they claim!)

“In accordance with eBay policy, I offer the HDD that came with the system (it currently has bad sectors and is not usable), which I can ship at the buyer’s request.”

Many recent OEM emails that I received are claiming to be a company located at 1100 South State Rd 7, Suite 501 in Margate, FL 33068. Their website is registered to a Russian domain. Thanks to Twitter folks @ChrisMuncy, @dckovar and @Lisa827 for advice on contacting the tax office in order to find out about the building that the business is located in. In this particular case, the City of Margate, Florida was unable to find any records for a business registered at Suite 501 at the above address. They will be sending out a code officer today to inspect the location since they only have four active businesses registered at this building.

Also be sure to stop by SIIA (Software & Information Industry Association) and brush up on
What You Need to Know About OEM and Academic Software.

12 steps to less spam:

Do not post your email address online in clear text. If you must post it online be sure that your address is munged so that the bots will not see it.
Never respond to suspicious emails.
Do not unsubscribe to spam email.
Do not use your personal email address for public use. Instead, use a disposable email address and set it up to forward messages to your personal email account. If you begin to receive spam in a disposable account –simply delete the disposable account and sign up for a new one.
Do not open suspicious attachments, links, or images. This could lead to malware downloading on your computer.
If you are using a software email program (and not a web-based one) be sure to disable the preview pane.
Use spam-blocking tools and filters.
If you need to forward email to groups of people use a disposable email address in the TO: field and add all recipients to the BCC: field. This will shield the email address from others as well as from spam harvesters.
Be sure to have antivirus software installed on your computer, run a full scan every week, and keep it updated! You should run some form of an anti-malware software each week too, such as Malwarebytes.
When you sign up for something on the web, be sure to uncheck the box that says “YES, I want to be contacted by select third parties concerning products I might be interested in.”
Be sure to take advantage of reputable and free computer scans such as the firewall leak and ShieldsUP tests over at Gibson Research Corporation.
Report spammers. Register for free spam reporting service at SpamCop.

If you plan on using this service often, consider making a donation!

Some helpful Links:

Federal Trade Commision FTC

If you are a victim of a financial solicitation contact
the Internet Crime Complaint Center

Medical fraudulent claims (devices or products)
Email: webcomplaints@ora.fda.gov

Investment-related email- *Copy headers and forward to:
Email: enforcement@sec.gov

*How to copy email headers

Until next time — stay safe online!

The invisible customer gobsmacked — NOT!

Teksquisite — Thu, 11 Feb 2010 04:00:17 +0000

Just got back from my favorite grocery store (anonymous) that I have been frequenting for eight years. The cashier at the speedy check-stand was less than pleasant — she was downright rude. This is the first time in eight years that I have had a bad experience/negative encounter at this particular store.

I was so annoyed with her attitude that I did not even wait for my receipt. I walked off in a bit of a huff, anxious to subdue the bubbling cauldron of negativity brewing within. Attitude is everything when it comes to customer service skills. Bad attitudes can spread like a virus. You can’t teach someone to play nice when they don’t want to play at all!

Could it be that she is having a bad night? (It doesn’t matter!)

Cashier: No eye contact, no conversation, and actively inaccessible in providing any form of decent customer service experience.

Me: It is uncomfortable to be at this check-stand. She won’t even look at me. She is staring at the cigarette cartons. She won’t talk to me!

If she is having a bad night, this is NOT my problem. I am the customer. If she is going to be manning the front lines of a business, she needs to make the customer feel, at minimum, the two “W’s.”

Warm – friendly and responsive
Welcome – Decent greeting\reception

Get Proactive!

In the past I have directly confronted bad customer service. It has never resolved anything and I am not one who likes to hold up a check out line!

While writing this post I decided that I will be informing the grocery store about this perceived negative customer experience. Not because I want to complain about experiencing bad service, but because I am concerned about how this particular cashier may eventually affect their business. Negativity tends to breed negativity.

An old article by Anna Thibodeaux in CRM Weekly summarized it best: “According to a 2006 survey released by a group within the Wharton School of the University of Pennsylvania, a typical business only hears from 4 percent of its dissatisfied customers; the other 96 percent leave quietly. Of that 96 percent, 68 percent never reveal their dissatisfaction because they perceive an attitude of indifference in the owner, manager or employee.

How can companies resolve bad customer service?

Provide appropriate training on how to provide good customer service
Provide higher pay rates to employees that excel in customer service
Pay attention to customer complaints
Transfer an employee that does not meet good customer service standards (GCSS)
to another position that does not involve direct contact with customers
Teach your employees to make a difference Today!

I hope that this article was helpful and now I am off to contact the company!

Until next time — stay safe online

Facebook redesign! Nobody told us!

Teksquisite — Fri, 05 Feb 2010 04:27:43 +0000

Great Facebook communication! Are you simply too huge, too cool, and too awesome to share GUI changes with our community?

Ermmm, Happy 6th Anniversary!

Register today for the FOSE 2010 experience!

Teksquisite — Wed, 03 Feb 2010 09:57:04 +0000

You are well aware of the challenges we as a CyberSecurity community face from rapid changes in the technology landscape. FOSE 2010 is the place to discover opportunities and solutions along with changing expectations for government IT professionals.

Register today for the FOSE 2010 experience http://www.fose.com.

You can expect:

3 days of IT resources helping you navigate today’s shifting tech landscape
2 full conference days packed with education on emerging technologies, trends, and new improvements to existing solutions
Thousands of products on the FREE* EXPO floor allowing you to gain one-on-one insight into the capabilities of our exhibitors through demos, theater presentations and FREE Education.
Attend the Accenture CyberSecurity Pavilion or Focus on Digital Forensics.

*FOSE is a must-attend free show for government, military, and government contractors.

It’s time to register and reserve your place at FOSE http://www.fose.com

Connect with FOSE
Twitter | Facebook | LinkedIn | GovLoop

3 important steps that can take the bite out of cyberharassment

Teksquisite — Tue, 26 Jan 2010 15:53:24 +0000

Recently, While watching the twitter public_timeline (TPT), I managed to get myself tangled up in an uncomfortable situation online. While on the TPT I came across an alleged hacktivist, became overly curious, and followed up by conducting private research to better understand the intentions behind his or her hacktivism activities.

It wasn’t long before I began to notice discrepancies in the hacktivist’s focused cyber attacks. While conversing with this particular hacktivist I also drew some curious head shakes from security experts who allegedly had connections with the US government (AC).

In a nutshell, I managed to upset both the hacktivist and the AC’s! All of this online drama came about because I unintentionally set myself up for such a situation to occur. Some of you may be wondering why I even bothered to pursue following and questioning such a controversial profile.

For as long as I can remember I’ve always been inherently curious. I was one of those kids who would find Santa’s hidden stash and secretly unwrap everyone’s Christmas gifts, then re-wrap all of the gifts back to perfection. Perhaps I was checking gift equality or I was just a nosy kid. Whatever the reason behind such invasive curiosity, this curiosity beast is one that I have to fend off and suppress on a consistent basis!

This type of curiosity could have easily become a Teksquisite reputation downfall. I could have been targeted both by the hacktivist and by government investigations. Though I did receive some direct communications via messaging and phone regarding statements I made about the hacktivist on twitter, I was not aware until much later in the game (by other concerned security
professionals) that this was a situation that I should graciously remove myself from.

“Harassment comes in many different forms and is not limited to physical or verbal abuse. Harassment can occur in any media or forum in which individuals interact.” –The Free Library

3 important steps to extricate yourself from situational cyberharassment

NEVER respond to flames.
NEVER confront the individual(s) with evidence or accusations
Remove yourself immediately from all hostile situations

The above steps should sever any type of online harassment situation almost immediately. Although there may be some negative fallout from my particular situation, I anticipate that the steps I have taken above will successfully eliminate the possibility that cyberharassment will continue to exist.

If the above steps do not resolve a cyberharassment situation, you may be looking at the more serious case of cyberstalking.

“Cyberstalking and cyberharassment are very similar. Most people use them interchangeably, but there is a subtle distinction, typically relating to the perpetrator’s intent and the original motivation for their behavior.”

“While the two situations usually involve many of the same online tactics, cyberstalking is almost always characterized by the stalker relentlessly pursuing his\her victim online and is much more likely to include some form of offline attack, as well. This offline aspect makes it a more serious situation as it can easily lead to dangerous physical contact, if the victim’s location is known.” –Wiredsafety

In the past I have voluntarily worked with both Wiredsafety.org as an Internet Security Specialist and HaltAbuse.org as an Internet Security Advocate. Both organizations offer extensive help to victims of cyberstalking. If you are involved in an online situation that has escalated beyond the status of cyberharassment, be sure to contact one of the organizations listed above for further information on how to protect yourself online.

Until next time – stay safe online!

If you read it on Facebook, it must be TRUE!

Teksquisite — Fri, 22 Jan 2010 02:18:20 +0000

Facebook Is Going To Start Charging Money!

This scam first appeared on Facebook during December 2009. Users who joined this group were tricked into clicking a malicious link that took them off-site while secretly dumping malware on their computer.

“The ongoing thread that Facebook will soon begin charging for their site doesn’t appear to be slowing. The other night I was having dinner with a family friend who told me about a scoop he had that Facebook would soon begin charging for the site and proceeded to explain why he would pay. While it’s great that Facebook has provided value to his life and millions of others, the company will not charge users to access the site.” –All Facebook

Researching current 14,99 groups/pages appears to be harmless with no suspicious links found. You can read more about this group at All Facebook.

Get A Free Pair Of UGGS!

You have to first verify that you can give out some private information, via taking one of the offered quizzes:

Does this IQ Challenge seem a little too familiar to you? In July 2009 WBZ-TV 4 in Boston reported on the “I.Q. Test” scam occurring on Facebook. Six months later, this scam is still connected to Facebook. Check out the details at WBZ-TV video.

Pay Attention To Possible Scams And Scammers!

Become a fan of *** Project NOSCAM *** and follow the weekly updated lists of:

SCAMS

SCAMMERS

** Notable Facebook Scams to be aware of **

If you find a scam or scammer on Facebook, do the site a favor and report it within the Group/Page and also report the scam Group/Page to Project NOSCAM.

“If you allow an application or website to connect with your Facebook account, that application or website can access information on Facebook related to you and your friends and generate and publish stories about actions you take on that application or website without any additional permission.” –Facebook

Help take a Byte out of Facebook Scams!

GASP YouTube: Vote-botting, false flagging, false DCMA shenanigans?

Teksquisite — Wed, 06 Jan 2010 04:26:49 +0000

In May of Last year The London Daily News reported that YouTube censored US journalist Alex Jones, best known for investigative reporting on the 9/11 terrorist attacks. At that time the “Alex Jones Show” on YouTube had over 1 million views per week, and was also responsible for “The Obama Deception.”

“Increasingly YouTube has been scorned for its move away from its foundation of “free speech video” to being seen as part of the establishment it tried to redefine when it was first established.” –PrisonPlanet TV

Censorship?

YouTube, emulates a meritocracy where highest user ratings and most views will land you on the front page. A vote-bot is a piece of software that can be used to systematically downgrade or upgrade vote popularity. Vote-botting can also be used to deflate vote ratings to such low levels that this forces the video out of search results.

Over the past two years certain YouTube communities such as Atheist YouTubers have suffered greatly under the deluge of YouTube vote-bots. Atheist video popularity ratings have been frequently sabotaged by strategically planned and maliciously orchestrated bands of malicious vote-bots. It is not unusual for video popularity to be reduced from a 5-star to a 1-star rating within a few minutes of these attacks.

“The bot armies are particularly onerous, automating the process of creating accounts, searching for any video by a particular user, then down-rating them all — resulting in such unlikely scenarios as a few thousand 1-star ratings on a video that’s only been up for a few minutes, thus pushing the video so far down the listings that nobody’s likely to ever see it to begin with.” –How to cheat at Youtube

Another method utilized to censor information on YouTube is defined as false flagging. This can be an automated process that flags videos as inappropriate when content is actually innocuous. The most vile flagging campaigns that I am aware of on YouTube, has been via fundamentalist and religious zealot groups. In their attempt to bully the YouTube fringe groups of Atheists, Wiccan’s, and Pagens, they have managed to destroy the advocacy of free speech at YouTube.

In an article titled You Tube Needs Fixin,’ Professor PZ Myers, biologist and associate professor at the University of Minnesota, Morris stated: “One of the big problems with YouTube is that science channels that criticize creationists are often shut down — they are targeted by votebots that lower their ratings, and there are plenty of people who file frivolous notifications of DMCA violations that lead to whole channels being shut down until the case is fought out. This is not good — the system is hair-trigger sensitive to complaints, but does nothing to filter out the noise of unwarranted claims made solely to silence people.”

The most powerful tool that fundamentalist and religious zealot groups have used against fringe groups at YouTube is the filing of False DMCA (Digital Millennium Copyright Act) claims. This forces YouTube to legally remove the video — effective immediately.

If they are still unable to restrict fringe group information with the three methods I listed above, eventually they often pull a full monty by filing multiple false DCMA claims. They know if they file multiple DCMA claims within a short period of time, that the victims channel will be suspended.

“There is a fight going on at Youtube, a fight for free speech, rationality and reason.” –rozeboosje

Please sign the Google/YouTube Censorship Reform Petition

Until Next time – don’t allow yourself to be bullied and stay safe online!

Tech highlights from December 2009

Teksquisite — Mon, 28 Dec 2009 00:44:04 +0000

Twitter hack claimed by Iranian group

The hack that occurred on Twitter itself is significant beyond any wider political motives. It shows that what is the world’s fastest growing communication network is rather insecure.

Being able to change the DNS records of a website means that rather than simply redirecting users to a vanity page identifying the hack, hackers could actually have redirected people to a site that looked rather like Twitter itself.

In a similar way to phishing attacks that mimic online bank accounts, the hackers could have encouraged users to login, thus revealing usernames and passwords.

Expert Rik Ferguson of Trend Micro told me: “One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. The hack that occurred on Twitter itself is significant beyond any wider political motives. It shows that what is the world’s fastest growing communication network is rather insecure. –channel4news

Twitter: @channel4news | @rik_ferguson

Web-Based Worms: How XSS Is Paving the Way for Future Malware

I first became aware of cross-site scripting (XSS) nearly a decade ago. At the time, despite being an all too prevalent bug in Web applications, the risk posed by the flaw was of limited value. It was the go-to vulnerability for any pen tester that was having trouble digging up a meaningful vulnerability to add to his audit report.

That has all changed now. Today, XSS represents a meaningful threat — a threat that is not only leveraged by attackers to harvest authentication credentials, but also is enabling a new generation of malware in the form of Web-based worms.

Depending upon whom you listen to, the statistics may be different, but virtually all agree that XSS remains the most prevalent Web application vulnerability that we face today. –TechNewsWorld

@technewsworld on Twitter

Cisco gives Zeus, Koobface and Conficker awards

Zeus is the most audacious criminal operation of the year and Koobface the most notable criminal innovation, according to Cisco’s Annual 2009 Security Report. On a positive note, the cybercrime sign of hope award goes to the Conficker Working Group.

Cisco Systems Inc. presented its first-ever Cybercrime Showcase awards as part of its 2009 Annual Security Report, released Tuesday.

Zeus: the most audacious criminal operation – Designed for information stealing and specializing in online banking fraud, Zeus is a shrink-wrapped piece of malware that any criminal is able to buy, explained Henry Stern, senior security researcher at Cisco. Some vendors are selling it as service for about $700 a month, he said.

Koobface: the most notable criminal innovation – Koobface is a piece of malware that takes over a user’s social networking account, explained Stern. “As soon as you get infected, it will send messages to all of your friends and it will try to lure them into becoming infected as well,” he said. –ITWorldCanada

@itworldca on Twitter

New Facebook Privacy Settings Under Fire

Facebook is making major changes to its privacy settings, giving you the opportunity to share your personal information with “everyone” on the Internet. But is that wise?

Facebook’s huge user base is signing onto their favorite social network today, and viewing an important message.

They’re being encouraged to review their privacy settings, as Facebook effectively encourages its 350 million users to share more information with everybody on the Internet.

The worry is, of course, that Facebook’s recommendations may be in the best interests of Facebook — but they may not necessarily be in the best interests of all of its users. –DarkReading

Twitter: @DarkReading | @Gcluley

Until next time — Stay safe Online!

Greetings from the Tekblog!

Teksquisite — Thu, 24 Dec 2009 22:37:23 +0000

Tweeterfast, Tweeterfollow, Twtkingz — The never-ending Twitter scam…

Teksquisite — Tue, 15 Dec 2009 23:32:33 +0000

I’ve been following the Tweeterfollow musical domain saga since late September 2009. The theme never changes. I’ve also written about their scam/phishing/twitter account hijackings here.

Yesterday the Tweeterfollow (AKA: TF) domain push on Twitter was via Twtxtreme.info (currently disabled) using short url services tinyURL and retwt.me. Today it looks like TF is promoting twtkingz.info via retwt.me and kiwi.url. TF consistently uses IP: 124.217.246.188 but because TF switches domains frequently, they have not been blacklisted.

The web login page is always the same:

Description: A place to add more followers for your twitter page. This is a twitter adder site

Keywords: get more twitter followers, tweet, twitter network,twitter train, get more followers on twitter, twitter, tweeter, tweeteradder, tweeterfollow, deadlyx, rawhood, hoodzone, followers, train, vip, tweet

Logged in to the TF Web GUI

Once you are logged in to their website you will automatically follow all VIP members. Then you click on Twitter profile random images [graphics from a3.twimg.com] to follow regular users [SIC].

Once you have clicked on all 20 default regular users profiles, the pop-up below appears:

Click on the OK button and 20 new profiles will reappear. You can click all day long and into the night and you will still get the congratulatory pop-up each time you click the 20th profile.

You are also encouraged to purchase a VIP membership using PayPal or a credit card. The account that TF is currently using at PayPal is registered to ryann.johnson2009@gmail.com.

Ability to view protected tweets

Using http://isfollow.com/ I wanted to see if the locked accounts that I randomly followed through the TF API were following me. The accounts listed below were not following me but I was able to view their PROTECTED TWEETS!

afrheyy
aliamutia
ibaddbxtch
IamHoodBarbie
ohannaweb

Since the above account is not following my test account I should not have been able to view IamHoodBarbies protected twitter stream. Obviously these Twitter profiles are all compromised accounts. A simple change of password is probably not the band-aid that should be used.

The Twitter filter managed to nab the “100 followers” string and filtered these tweets from the test account Twitter stream. The test account is also not currently accruing a steady stream of profiles from Twtkingz[TOX]info API like it was yesterday. During the past six hours the test account has only followed one protected account via the TF API. The test account is still able to view protected tweets of accounts that are not following the test account.

Who is behind all this?

With all the emphasis on botnets, security breaches, and malware; In comparison, Tweeterfollow appears harmless. Is it?

Domain ID:D30737265-LRMS
Domain Name: TWTKINGZ.INFO
Created On:10-Dec-2009 15:10:50 UTC

Last Updated On:10-Dec-2009 15:10:59 UT

There is something big going down on Twitter

Any website hosted at Piradius.net in Kuala Lumpur, Malaysia should immediately raise a red flag.

Update: 12-15-09 8:13 pm EDT

Update: 12-16-09

Update: 12-17-09

Update: 12-22-09

Test account data:

December 18:
5 tweets Total

Timing:
2 tweets @8:08 pm from API
1 tweet @9:54 pm from API
1 tweet @9:55 pm from API
1 tweet @10:25 pm from API

URL Breakdown:
3 tweets to twtfollow[TOX] info via ohurl.com
1 tweet to twtfollow[TOX] info via retwt.me
1 tweet = “This site just gave me 100 followers using” no URL

December 19:
9 tweets Total

Timing:
1 tweet   @6:09 am from API
1 tweet   @8:33 am from API
1 tweet   @2:10 pm from API
1 tweet   @4:34 pm from API
4 tweets @7:09 pm from API
1 tweet   @10:10 pm from API

URL Breakdown:
1 tweet to youtube.com [generic]
1 tweet to twtspeedy[TOX] info [via retwt.me]
2 tweets to twtfollow[TOX] info [via Safe.mn = flagged as a "Dangerous website: Phishing/Malicious Content"]
2 tweets to twtspeedy[TOX] info [via TinyUrl]
1 tweet to twtfollow[TOX] info [kiwiurl.com]
1 tweet to twtfollow[TOX] info [via shorten.ws]
1 tweet to twtfollow[TOX] info [via snipr.com]

December 20:
15 tweets Total

Timing:
1 tweet   @12:34 am from API
1 tweet   @1:10 am from API
1 tweet   @6:11 am from API
1 tweet   @7:12 am from API
1 tweet   @8:34 am from API
2 tweets @1:31 pm from API
2 tweets @1:32 pm from API
1 tweet   @1:33 pm from API
1 tweet   @2:11 pm from API
1 tweet   @6:36 pm from API
1 tweet   @7:29 pm from API
1 tweet   @7:33 pm from API
1 tweet   @10:12 pm from API

URL Breakdown is getting spammy, so for the sake of brevity – here goes:
The shorl you requested has been disabled due to abuse. We’re sorry for the inconvenience.
lu.mu disabled
kiwiurl.com disabled
nvg8.it disabled
twtfollows {TOX] Info still online
twtlimit {TOX] Inf still online
retwt.me = .twtspeedy[TOX] info

December 21:
26 tweets Total

Currently pushing the following Toxic URLs:

twtfollows[TOX] info
twtlimit[TOX] info
twtspeedy[TOX] info

Stay Safe Online!

FacebookAgent is a Backdoor Bot & Trojan Dropper

Teksquisite — Fri, 04 Dec 2009 02:15:59 +0000

There has been chattering the past few days about unknown rogue software available for download on the Internet that lets you view private Facebook profiles. I can assure you that this new software called FacebookAgent is old news wagging a new wrapper. This is not just another scam! This rogue application also has a back door along with Trojans droppers put together by cyber-criminals to elicit financial information via social engineering techniques. Prior to examining FacebookAgent on a VM earlier today I ran Malwarebytes and had a clean scan with no infected files. After installation of Facebook Agent and testing in a VM I ran Malwarebytes again and had 159 infected files! (the results will be posted at the end of this article.) Domain: www.facebookagent[DOT]com Current IP: 74.208.137.211 131 1&1 Internet Inc PA

Facebookagent.com website provides this Disclamer:

“Facebook Agent is an automated help manual that guides you through the process of gaining a legal view of the desired profile. This process is completely legal and is achieved through the other party’s aproval and acknowledgement. This software and/or methods should not be used in any other case that is not mentioned above. All facebook trademarks are copyrighted to facebook.com. All actions taken through and in this application are on full responsibility of the user. Facebook Agent is in no condition responsible of any harm, damage or violations done while using this application. If at any stage of the process any party will find violation of law against them, the process should immidiately be terminated and reported to the administration team of the application. By clicking the Start button you agree to take full responsibility of the actions done by this application. All rights are copyrighted to facebook Agent 2009 – 2010. All trademarks found in this application belong to facebook Agent apart from facebook trademarks which are copyrighted to facebook.com. By clicking on the Start button you accept this terms and conditions.”

Most of the links at the FacebookAgent website result in saving or downloading setup.msi. The msi installer loads Facebook Agent.exe and a database file in the Program Files directory. The installer also loads Perflib_Perfdata640.dat into the local user profile temp directory and runs the database file under svchost.

When you first run Facebook Agent there is no exit from the program. Bad code and even worse downloads and toxic URLs await you. Since I did not choose to install the IWON toolbar featuring the MyWebSearch default search provider I had to participate in the Green Card Scam that is listed below.

According to the flimsy interface above you have to click to claim what you have won! Your prize is located at: hXXp://html.usagc[DOT]org/step1landing_eng[DOT]html?afk=ranygnewcplcmp0309eng. Then you have to fill out a form that includes your full name, email address, country of birth, marital status, and telephone number. You also have to answer this dropdown menu question:

After I filled out the online form with false information, I received this response:

Canada, Mexico, and the United States are ineligible. On the same page I was also given the option to select another country if I were a native of a qualifying country or if my parents were born in a qualifying country. I opted for Australia and was quickly promoted to step 2 in the process!

I had a good smirk over the warning “using a stolen or fraud credit card number will automatically disqualify you from participating forever!! USAGC will immediately cancel your application and pursue legal remedies.”

USAGC is a scam! Don’t fall victim to this Green Card lottery scam! The DV-2011 Diversity Visa Lottery( run by The U.S. Department of State) online entry registration period ended on November 30, 2009

I was soon bored with the Green card lottery scam so proceeded to install the IWON Toolbar and failed.

After finishing the installation of IWON, I had to go to iwon.com to register for a free account. Overall, you can only get to step 1 in Facebook Agent because you can’t get to step 2 without filling out credit card information.

Finally I ran Malwarebytes again to see what nasties Facebook Agent had installed.

Memory Processes Infected: 2

Memory Modules Infected: 1

Registry Keys Infected: 142

Registry Values Infected: 9

Registry Data Items Infected: 0

Folders Infected: 20

Files Infected: 86

Memory Processes Infected:

C:\Documents and Settings\test\Application Data\Microsoft\Network\svchost.exe (Trojan.Dropper) -> Unloaded process successfully.

C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Unloaded process successfully.

Memory Modules Infected:

C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Delete on reboot.

Files Infected:

C:\Documents and Settings\test\Application Data\Microsoft\Network\wuauclt.exe (Backdoor.Bot) -> Delete on reboot.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft network service (Trojan.Dropper) -> Delete on reboot.

You can view the full Malwarebytes log here.

I did not have much time to pursue this today but have high hopes that other security experts will jump in and take a look at this backdoor!

Until next time — Stay safe online!

Tech highlights from November 2009

Teksquisite — Mon, 30 Nov 2009 08:19:08 +0000

Proper use of English could get a virus past security

Hackers could evade most existing antivirus protection by hiding malicious code within ordinary text, according to security researchers.

One of the most common ways of hijacking other people’s computers is to use “code-injection” attacks, in which malicious computer code is delivered to and then run on victims’ machines. Current security measures work on the assumption that the code used has a different structure to plain text such as English prose.

Now a team of researchers has highlighted a potential future theatre in the virus-security arms race by working out how to hide malware within English-language sentences.

Hackers call the part of a code-injection attack that is used to gain control of a vulnerable computer “shell code”. Because this is usually written in machine code, Mason and colleagues dubbed their technique “English shell code”.

They presented their research (PDF) at the ACM Conference on Computer and Communications Security in Chicago earlier this month, being careful to leave out some of their methodology to avoid helping malicious hackers. –New Scientist

@Newscientist on Twitter

Hacker to be sent to face trial in US despite relatives’ suicide fear

LONDON: A British computer hacker who has Asperger’s syndrome is at serious risk of suicide, relatives say, after a last-ditch attempt to prevent his extradition to the US was rejected.

In a letter the Home Secretary, Alan Johnson, ordered Gary McKinnon’s removal to the US on charges of breaching American military and NASA computers, despite claims by his lawyers that extradition would make the 43-year-old’s death ”virtually certain”.

The decision, described by lawyers as callous, has prompted fresh fears about Mr McKinnon’s wellbeing. Thursday’s letter rejected new expert medical evidence that Mr McKinnon’s health had deteriorated dramatically since he lost his case in the High Court in July, and meant that extradition would
violate his right to life. –Guardian News & Media

@GuardianNews on Twitter

Please follow computer engineer @Brian_Howes on Twitter who fights illegal extradtion for All to the DEATH.

Vendor rages after iPhone hacker given job
The code was rubbish too, says Sophos.

A security firm has expressed incredulity at the news that the Australian prank hacker who wrote a program targeting Apple iPhone users has been given a job by an application developer.

The writer of the Ikee worm, Ashley Towns, sprang to prominence only two weeks ago after his creation was found to be changing the desktop wallpaper on some ‘jailbroken’ or unlocked iPhones to display a picture of 1980’s British pop-star Rick Astley. Now, fellow-Australian software company mogeneration is reported to have offered Towns a paid job after hearing of his efforts.

“Yey, I got the job. I’m now an iPhone application developer,” says the 21-year old’s Twitter feed, adopting a nonchalant attitude that has seriously annoyed more than one security company. Currently, only one is willing to go on the record.

“What disheartens me is that Towns has shown no regret for what he did. He admitted specifically infecting 100 iPhones himself, letting his worm loose in the process. Now his utterly irresponsible behaviour appears to have been rewarded,” said Graham Cluley of software outfit Sophos, in an emailed press statement. –Techworld

John E. Dunn/@dourscot on Twitter

Shadowserver to Take Over as Mega-D Botnet Herder

An effort is underway to clean up tens of thousands of computers infected with malicious software known for churning out thousands of spam messages per hour. The infected computers are part of a botnet called Ozdok or Mega-D, which at one time was sending out around 4 percent of the world’s spam messages.

Last week, security vendor FireEye launched a drive to dismantle the botnet. The infected computers receive instructions and information for new spam campaigns through command-and-control servers. FireEye contacted network providers which hosted those servers, and most were shut down.

That meant that the people controlling the hacked PCs, known as botnet herders, couldn’t contact most of their bots anymore. Spam from Mega-D almost stopped entirely. FireEye also cut off a second redundancy mechanism the herders programmed into Mega-D…FireEye has now handed control of those bots over to Shadowserver, a volunteer-run organization that tracks botnets.

Shadowserver has taken over the administration of a “sinkhole,” or a computer running custom software that acts as a command-and-control server that the Mega-D bots will call on, said Andre’ M. DiMino, Shadowserver’s co-founder.– Networkworld

@networkworld on Twitter

Until next time — Stay safe Online!

An affiliate marketer shows you how to go phishing…

Teksquisite — Thu, 26 Nov 2009 05:55:32 +0000

I am currently reading a read me from a recent .rar that I downloaded and extracted over at Tubnut (that is a pet name for my virtual station that analyzes files.) The one question in the read me that consistently catches my attention is —How can I get somebody to login to my phisher— The answer: “That’s for you to find out, use your mind. Probably the simplest way is Social Engineering and some phishing skill. Here is an example : hXXp://imgdevil.com/pfiles/11140/munged”

The one commonality between affiliate marketers and cyber-criminals is that they are both highly adept in the art of social engineering. Michigan.gov defines social engineering as “an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals.”

Most affiliate marketers remain in the gray area of social engineering. They also hold a strong emphasis on scam-type marketing campaigns in order to promote traffic to their website, specifically for the purpose of financial gain. In comparison, Cyber-criminals fully embark in blackhat social engineering techniques, developing fake “phishing” sites in order to gain access to financial accounts.

Today I found an affiliate marketer on Twitter who participates in both forms of social engineering. Though his account is not listed in Twitter search, I assume that he is from Pakistan and that he only uses anonymous accounts/sites to post content. I am not posting his information here at the Tekblog. For the purpose of this post I will refer to the affiliate marketer/phisher as P-man. So lets now move on to disclose some of the findings from P-mans phishing .rar.

I was 100% amazed to not find a Twitter Phisher here!

The major points that P-man promotes is that a phisher must:

1- Find a web host that supports php
2- Have a plan in place to send victims to the Index page
3- Learn how to hide links in forums
4- Seek free hosting/free domains (all anonymous)
5- What email spamming service to use
6- The use of URL shortening services to hide the phish
7- Proxies

There are also text files in many of the phishing folders that direct you to other underground technology websites. You will be instructed to register at these sites before you are allowed access. I believe that these underground sites will also be looking at your IP, OS vulnerabilities, etc in order to asses your intentions in registering. You can anticipate that there will be many sites that will also redirect you to set up a meeting in mIRC, regarding more complex phishing site configurations.

Paypal

While perusing the Paypal directory I noticed that there was a possible paypal phishing tutorial located at the free domain of DaveDaDon. His motto: Touch ME? Neva. His domain is now suspended…

Ironically Touch ME? Neva guy who goes by the online name of DAVEDADON, had the balls last year to post at the Microsoft Fóruns do Visual Studio. Perhaps ego rides a wild donkey too?

Freewebs

DAVEDADON also allegedly provided a Freewebs phishing tutorial at his now defunct site. This was the one and only folder in the .rar that included a WARNING.

This warning, apparently intended to pose as a disclaimer against holding DaveDaDon liable for anything that smacked of criminal intent:

DaveDaDon is not playing nice with his phishing students either!

P-man is anonymous…He uses Twitter and Facebook to push traffic back to an anonymous website. P-man has myriad Pakistani friends. P-man affiliates with phishers, may be phishing, and emulates viral marketing.

Online age: 13-21

Country: Pakistan

Twitter: 1007 followers (affiliate marketer, filtered from Twitter search)

Facebook: Fan page, 104 followers (most download links lead back to P-mans blog)

Until Next time — Stay safe online!

My USB flash stick is broken!

ITTekTips — Wed, 25 Nov 2009 23:17:53 +0000

Maybe not! I have an 8 GB USB stick that is only showing 950 mbs of available disk space. After doing a bit of Google research I decided to visit http://files.extremeoverclocking.com/file.php?f=197 and download HP USB Disk Storage Format Tool – v2.1.8, a nifty little USB format utility that is free to use.

Note: Be sure to download from the Primary Download Site

As you can see from the screen capture above, I did not use the quick format option. Formatting took almost an hour to complete, and this fabulous utility was able to retrieve all lost disk space.

If you have a USB stick that is missing disk space, give this HP USB Disk Storage Format Tool a shot.

Until next time – Stay safe online!

Part II: Intruder Defense – Use Ubuntu to secure financial transactions online

Teksquisite — Wed, 25 Nov 2009 09:21:20 +0000

Last month Brian Krebs wrote an interesting and informative article about E-Banking on a Locked Down (Non-Microsoft) PC for business owners, and outlined a tutorial on how to accomplish security online.

“In past Live Online chats and blog posts, I’ve mentioned any [sic] easy way to temporarily convert a Windows PC into a Linux-based computer in order to ensure that your online banking credentials positively can’t be swiped by password-stealing malicious software. What follows is a brief tutorial on how to do that with Ubuntu, one of the more popular bootable Linux installations.” – Washington Post, Security Fix blog

Receiving strong reactions from his readers, Krebs posted a rebuttal titled E-Banking on a Locked Down PC, Part II. He further demonstrated that the initial article was not directed at consumers, but at “small to mid-sized companies that may not have a full-time IT/security staff, and who rely on one or two people to handle their bank accounts and payroll online.”

Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit (NSW Police) uses two rules to protect himself from cybercriminals when banking online: Never click on URLs to the banking site and avoid Microsoft Windows. — ITNews Great advice during the onslaught of Zeus and the the Clampi Trojan…

Adrian Kingsley of ZDNet upped the malware alert a few notches when he stated “It’s time to ditch Windows for online banking and shopping. There, I’ve said it.”

You can have all the security preventatives lined up in a row and quacking, but you can’t protect ducklings that choose to cross the freeway during rush hour traffic. Windows is currently the primary target of global malware authors. Tomorrow it could be Linux. Next week it could be Mac. Any operating system that connects to the Internet and conducts financial transactions is fair game. Since a larger % of Internet users employ the windows platform to do online banking, it is obvious that windows would be the operating system of choice for cyber-criminals to pursue today.

Recently I restricted online financial transaction access to one workstation and to specific websites on a standalone Ubuntu computer.

Read Part I: Intruder Defense – Become part of a Solid Internet Security Solution (SISS)

Until next time — Stay safe online!

Dinner_Guest: Viral PR or the Real Thing?

Teksquisite — Wed, 18 Nov 2009 00:25:52 +0000

Dinner_Guest

Twitter Bio: I can’t help myself and i need to tell someone. Love the kill
Joined: Tue 10 Nov 2009 21:41

Following: 1 | Followers: 100 | Updates: 41

Being an avid Techcrunch fan, I was intrigued with Mike Butchers article “Is @Dinner Guest a sick joke or a real murderer on Twitter?” Who is this Dinner_Guest tweeter who has gone from 4 followers to over 100 followers as of this writing?

I’m watching this account now via Tweetdeck as Dinner_Guest plays a dumbed down version of a Twitter newbie.

Why did Dinner_Guest choose to follow RACarter?

Bio CFO for hire by the day to StartUps. Now myself a StartUp. I work a lot with the London tech scene.

And what are the the social implications of such shockingly dark tweets?

Is this a PR stunt or ?

I honestly think that this is a PR stunt. I added this person to one of my lists so that I can keep a close eye on tweets without having to follow the profile.

Stay tuned for future revelations as the plot thickens…

Twitter ’serial killer’ comes to Brighton Brighton and Hove News

Why @Dinner_Guest is probably a fake

The mystery has ended. Update 11/18/09

New Bio: “A fictional character born out of an artists mind. A meme experiment. & analysis.”

Until next time — Stay safe online!

The Butterfly Effect: Are You Smart Enough To Run a Website?

Teksquisite — Tue, 17 Nov 2009 06:55:04 +0000

The butterfly effect: “Small variations of the initial condition of a dynamical system may produce large variations in the long term behavior of the system.”

In the realm of Internet security, webmasters (hosting service providers) are pivotal in reducing the impact of compromised/malware-laden websites. Once a compromised site becomes known to a webmaster (or hosting service provider) it should immediately be disconnected from the Internet.

As a webmaster (hosting services provider) you play an integral role in guarding the integrity of site code and maintaining upgrade compliance. One neglectful action on your part – such as failure to acknowledge a website vulnerability can seriously effect all site visitors. An iframe exploit may seem small and insignificant at first, until a payload is dumped and eventually herds hundreds, or even thousands of innocent victims into the bowels of a stealthy botnet.

As a webmaster (hosting service provider) when using social networking sites such as Twitter and Facebook, you are also responsible for the health of your profile URL that links back to your website. If a social networking site filters your profile link, you should take the warning seriously.

Recently, I was astonished and alarmed by a website owner on Twitter. She disguised her profile link with another domain that redirected visitors back to the initial infected domain. She was able to trick Twitter filtering, but at what cost to website visitors? Her reasoning for switching the URL was “yeah i thought maybe i could trick it but i guess not. i’ll have to remove the links for now.” The new link was never removed from her profile, though her site was eventually cleaned up. How many people became infected during the interim trick? Irresponsible actions, as noted above, are all too prevalent when it comes to taking social responsibility for compromised websites.

Are you smart enough to run a website?

Taking responsibility for Internet security is something that we all should be taking seriously. From home user levels to corporate user levels – there is no room for feigning technological stupidity. If you are a small business owner and operating a company website, you need to become educated on how to properly secure and maintain your website. If you are unable to take Internet security seriously, you will need to hire a professional.

Cyber-crooks are relentless in their pursuit of your money and “It’s all about the money,” according to Graham Cluley, senior technical consultant at Internet security firm Sophos. In the worst case scenario, your identity and your financial security can be severely compromised. –Source: Bill Mullins

Running a website is a huge responsibility and should not be taken lightly. Today, cybercrime rules the Internet highways. If you don’t know how to drive, park the car and get out now!

Being involved in computer security, I am amazed and frankly frustrated, at the lack of personal responsibly [SIC] exhibited by most typical computer users, and most importantly, the lack of commitment to acquiring the knowledge necessary to ensure personal safety on the Internet. In a word, becoming “educated”. –Source: Bill Mullins

The butterfly effect is here to stay. Even the smallest of actions can severely impact all of us. One malware link to a .cn domain could compromise one computer. One computer then joins a botnet. Next on the agenda — ten housand computers join a botnet. Why? Because the computers already house severe vulnerabilities. As webmasters (hosting service providers) do not downplay your Internet security role as insignificant.

Steps that you can take to secure your website:

Kevin Roderick suggests Seven essential resources to help protect your website from technical attack:

1. Google’s Webmaster Tools
2. Google’s Safe Browsing Diagnostic Tool
3. Google’s Online Security Blog
4. Stop Badware’s Link Clearinghouse
5. Webmaster World
6. Matt Cutts’ Blog
7. Search Engine Land

Until next time — stay safe online!