Facebook's "People You May Know" feature appears to be using profile search history when making its recommendations.

I frequently search for spam related keywords, and today, two spam accounts were recommended to me.



Elma and Drema? I don't know anybody by those names…

Searching for the name "Elma Fewell" yielded a few doppelgängers. Checking incremental Facebook IDs yielded even more.

All of these spam accounts were created on Wednesday, August 11th.



I also found five Sueann Dehart accounts and a Janiece Duval. All of the profile pictures are of attractive young woman (and one of Kim Kardashian). Several of the photos appear to be of Ukrainian models, based on a reverse image search.

The profiles posted spam links such as these on the 12th:

  •  A deal you just can't refuse!
  •  Check this out!
  •  Do not pay for a new iphone 4, get one for free one for no cost!
  •  I became tired of my old mobile phone and got an apple iphone 4 for free!
  •  Incredible Offer Below
  •  Just had to share this with you
  •  Take advantage of this awesome deal!
  •  Take advantage of this great deal!
  •  Whoa, check this out everyone

The links lead to LiveJournal pages that display this iPhone 4 bait:



But then the "Click Here Now" button directs to another domain which, in Finland at least, gives the following message:

"Sorry, this offer is unavailable in your country. You are now being redirected to a similar offer that is available in your country."

And I was then directed to advertisements for "Bounty Bay Online" by Frogster games, a Berlin based game company.



One of my German colleagues has informed me that there's a game expo coming up soon, and that Frogster is promoting a free MMORPG. I think it unlikely that Frogster could be aware of just how their advertising budget is possibly being drained by these unscrupulous affiliate marketers via Facebook and LiveJournal. (Our German office will let them know…)

Abuse messages have been sent to the appropriate parties.

As for Facebook… thanks, but I really don't appreciate the recommendations. Perhaps Facebook should allow people to purge their search history from time to time? Or else they should retool their recommendation algorithm to weed out the fakes.

It's easy enough finding spam on my own — I don't need any extra help.

Signing off,
Sean

On 16/08/10 At 04:02 PM

Twitter discontinued support for basic user authentication in third-party applications yesterday morning.

Good. It's always best to never share your password with a third-party. Even if you trust them, their database could be compromised, and your password along with it. The discontinuation of basic user authentication also removes the vector of brute force password attacks via Twiter's API.

All third-party applications must now use Twitter's OAuth.



So, that being the case… we have a feature request.

The other day, we came across some Twitter spam using a bit.ly link that pointed to an application called "Lady Gaga photos".



If you "Allow" the application, two things will happen: the account tweets spam and follows two new accounts (emoboyxx3 and BoyGeorge).

We don't suspect Boy George is behind this…



Okay, so it's a spam application. Time to visit Settings/Connections and revoke its access.



And here's our feature request, we want a "Revoke Access and report as a spam application" as well as the "Revoke Access" option.

Cheers!

On 01/09/10 At 03:36 PM

Zeus continues to be one of the most common malware we run into.

Just now we've been watching a spam run with malicious ZIP files attached to them.



Inside the ZIP is always the same Zeus variant (md5 92671afe999e12669315e220aa9e62c2) but the name varies. So far, we've seen these filenames:

  •  2010 Contract With LC Change 051005.exe
  •  Flight Attendant-0600003A.exe
  •  Second chord sounds in world's longest lasting concert - Yahoo! News.exe
  •  Cancellation Notice.exe
  •  BURRESS_WEDDING_AUGUST2010.exe
  •  IN255596.exe
  •  2010 expenses.exe
  •  resume.exe

The malware downloads additional components from two malicious websites in Russia: jocudaidie.ru and zephehooqu.ru.

We block access to the malicious websites and detect the malware as Trojan:W32/Agent.DKJC.

On 18/08/10 At 10:33 AM

Wikipedia's affiliate marketing entry includes the following sentence: "Although many affiliate programs have terms of service that contain rules against spam, this marketing method has historically proven to attract abuse from spammers."

This is very true — affiliate marketing methods definitely attract abuse from spammers.

Our recent posts on Facebook and YouTube spam linked to cost per action (CPA) affiliate networks. We've come across affiliates from several CPA incentive networks while investing social networking spam, and one of the more interesting companies that we frequently see abused is CPAlead.com.

CPAlead claims to be to be one of the largest affiliate networks with nearly 11 thousand members in its Facebook Group. They also have an interesting Twitter profile that lists their daily top earners.

They've tweeted 258 times since June 18th and the total amount of daily top earnings is $485,188.34.



There were 281+ thousand leads (completed surveys) and 3.7+ million clicks. That's a 7.5% conversion rate for the top earners.

With numbers such as that… there's little wonder why spammers are attracted.

On 31/08/10 At 09:44 PM

"Computer viruses may have contributed to the Spanair passenger plane crash which killed 154 people in Madrid two years ago", reports the Spanish newspaper El Pais.



"The Spanair central computer which registered technical problems in airplanes was not functioning properly because it had been contaminated by harmful computer programs", the magazine continues.

We cannot confirm whether malware played a part, nor do we know which particular malware it could have been. However, over the years, we have seen real-world infrastructure affected by computer problems. In most cases, this has been just a side effect; the malware behind the problem wasn't trying to take systems down, it just did.

This was especially bad in 2003, when we saw malware induced problems in real-life systems unprecedented in their severity. The main culprits were network worms Slammer and Blaster.

The network congestion caused by Slammer dramatically slowed down the network traffic of the entire Internet. One of the world's largest automatic teller machine networks crashed and remained inoperative over the whole weekend. Many international airports reported that their air traffic control systems slowed down. Emergency phone systems were reported to have problems in different parts of the USA. The worm even managed to enter the internal network of the Davis-Besse nuclear power plant in Ohio, taking down the computer monitoring the state of the nuclear reactor.

The RPC traffic created by Blaster caused big problems worldwide. Problems were reported in banking systems and in the networks or large system integrators. Also, several airlines reported problems in their systems caused by Blaster and Welchi, and flights had to be canceled. Welchi also infected Windows XP-based automatic teller machines made by Diebold, which hampered monetary transactions. The operation of the US State Department's visa system suffered. The rail company CSX reported that the worm had interfered with the train signaling systems stopping all passenger and freight traffic. As a result of this, all commuter trains around the US capital stopped on their tracks.



There was a lot of attention to the indirect effects of Blaster on a major power blackout in the Northeastern USA which occurred during the outbreak week. According to the report of the blackout investigative committee there were four main reasons behind the power failure, one of them being specifically computer problems. We believe these problems were to a great extent caused by the Blaster.





It is important to note that even though the system problems caused by Slammer and Blaster were truly considerable, they were only byproducts of the worms. The worms only tried to propagate: they were not intended to affect critical systems. The malware affected environments that had nothing to do with Windows: it was the massive network traffic caused by the worms that alone disrupted normal operations.

On 20/08/10 At 12:53 PM

Someone has been trying to pose as us again, and is sending out an e-mail that looks like this:


From: Account Support
Date: Saturday, August 28, 2010 4:33 AM
To: none
Subject: Account Alert!!!

An HTK4S virus has been detected in your Email Account, and your email account has to be upgraded immediately to our new F-Secure HTK4S anti-virus/anti-Spam version 2010 to prevent damage to the email and important files in your email account. You are therefore required fill the columns below to enable us verify your email account or your email account will be suspended temporarily from our services.

Username:
Password:
Date of Birth:
Telephone Number:

Copyright© Customer Care Center 2010 All Rights Reserved.


You can safely ignore that e-mail and please do not reply with the requested details. We don't have a product called F-Secure HTK4S anti-virus/anti-Spam, and we certainly wouldn't let such a badly written e-mail to be sent out to customers.

On 30/08/10 At 04:13 AM

In the past days, a class of exploits that fall under the category of DLL hijacking (or "binary planting") have gotten a lot of attention. Apple's iTunes had problems, and a lot of other applications seem to be falling for the same thing.

The problem is really quite simple. An attacker will try to trick someone into opening a data file (for example, an MP3 file in the case of iTunes) from a folder while at the same time placing a malicious Dynamic-link Library (DLL) somewhere under the same location. By doing this, he can force a vulnerable application to execute the malicious code. So, double-clicking on the wrong file on a network share might get your machine infected.

The whole class of problems is really nothing new. As Thierry Zoller points out, a nearly identical issue was reported a good 10 years ago. Why are we seeing lots of new vulnerabilities now? A lot can be attributed to a new tool that was made available by HD Moore last Sunday. It makes finding such vulnerabilities very easy.

So what can you do to keep safe? Microsoft has Security Advisory 2269637 out on the issue. It has several ways to mitigate the risks. You should also make sure to apply updates from different vendors for vulnerabilities in their products.

We'll of course be following this closely and adding detection for any malicious DLLs abusing the vulnerabilities.

Currently we are not aware of any vulnerabilities in our own software, but we are continuing further investigations on the matter.

Signing off,
Antti

P.S. Those of you developing Windows software: isn't it funny that a single function with a single argument,
LoadLibrary("mylibrary.dll"), can be so difficult to get right?



The documentation for LoadLibrary has about 1100 words, the page describing it in more detail has 1000 words, and the page that tells you how to really get it right has 900 more. That's around 3000 words, or ten times the length of this post. You just gotta love LoadLibrary!

On 25/08/10 At 05:45 PM

One of our Safe and Savvy bloggers, Melody-Jane, recently asked me about some "free" offers for F-Secure Internet Security 2010 that she spotted on YouTube. She thought the videos, and their associated links, looked just a bit more than suspicious. So I decided to check them out.

What I discovered was Cost per action (CPA) spam. The same sort as I've recently been investigating on Facebook. (I'm really, REALLY beginning to hate this CPA stuff.)

This is what one of the typical videos looks like:



"Click the Link to Begin Your DOWNLOAD.......BEFORE IT'S REMOVED!!"

Too late. I've already reported the video to YouTube and Bit.ly abused their link within 30 minutes of my request. (Nice!)

Here's another example of a spam video.



As you can see, it isn't just our software that the spammer is trying to rip-off, he's offering many other AV products as well.

If you click on the link advertised in the video's description, you'll end up at a WordPress.org blog.

At which point you'll be presented with a CPA survey to "unlock the free content".



And what content do you get for your trouble when you fill out the survey?

A link to a torrent site… (jerk).

Downloading cracked software is typically a short path to malware. We don't recommend it (doesn't matter what software).

Be seeing you,
Sean

On 27/08/10 At 08:22 PM

Facebook spam (erroneously called scams) has been making headlines recently…

And with all the attention on "virally spreading" links, we wondered, just how effective is it? What's the conversion rate? Links spread virally — but so what? That's only one step in the process. How many people actually fill out the CPA surveys that make the money?

Here's one recent example of spam attempting to use English football player Peter Crouch as bait.



Only 269 "likes" — doesn't seem that interesting…

But wait, what's that in the bottom right hand corner? A counter of some sort?

Indeed, this particular spammer is using a statistics site called http://whos.amung.us.

Here's the dashboard view for the football spam:



The most action that this spam managed was 208 hits in one hour.

Here's another, more popular spam about an unlucky McDonald's Happy Meal:



This spam uses bit.ly links to spread itself on Facebook.





The links lead to http://happytruthblog.co.cc and there are just over 32,000 clicks. The stats also show the number of likes. Clicks to likes, what's the conversion rate? One link has around 40% and the other about 48%.

The dashboard reflects the successful traffic.



40% is an excellent conversion rate, much better than e-mail spam.

However, the 32,000 clicks is far less than similar spam from just two months ago when we saw several examples of viral links that yielded hundreds of thousands of clicks.

Returns are diminishing as people are exposed, develop a resistance, and recognize Facebook spam for what it is.

In fact, the spammers themselves seem to know this and are working harder to convince people.

This version of the Happy Meal spam promises "no need to complete surveys."



And the initial likes and the site's dashboard stats reflect well on that promise.



But it's the same old spammer lie.

This page has an anti-spam bot "test", which is just a survey by another name.



Let's close the page. Wait, what's this?



Please take one minute to complete a spam-free market research survey?!?

Unbelievable.

Screw the spammers! Let's take a look at what they're trying to cover up with their JavaScript.

Here's the page source for the spam page:



Rather than "like" the page and then "share" it with our friends on Facebook, let's skip to "step 3" and open /reveal.html.

Hmm, that reveals a reference to widget.php.



And widget.php's page source gives us the final result:



What? Really? The Happy Meal story is from November 2007? Cripes…

If that's the type of "free content" that these bonehead spammers are pushing, it's no wonder that there's a diminishing return on their efforts. What a joke.

A couple of other examples that we examined today used video bait (video.php). Those spam pages eventually linked to YouTube videos, and those view statistics only showed tens of views from the embedded sources.

That's good news. Examination of the data demonstrates that fewer and fewer people actually continue on to "step 3", which is filling out the survey. The vast majority of people bail out of the process after simply liking the page, or after sharing the link.

But here's the bad news.

Social networking spammers don't need to dupe very many people in order to be rewarded for their efforts. Many of the surveys lead to SMS subscriptions (particularly outside of the USA) and there's good money to be made. And because the conversion rates are better than e-mail spam, you can be certain that it won't be going away any time soon.

On 23/08/10 At 08:09 PM

For those of our readers who follow PlayStation 3 discussions, it would have been hard to miss the discussion about a new "jailbreak" for PS3. News of a USB dongle that breaks the security model of the game console to enable execution of third party software (as well as pirated games) have been going around like wildfire.



Not surprisingly, online miscreants are trying to exploit the excitement. The real USB jailbreak gadget is not a USB drive. But it looks like one. So now some clown is distributing a Windows program that claims to creates a jailbreak USB device out of a normal thumb drive. All you need to do is to download and run the program.



In reality, it drops a backdoor. We detect it as Trojan:W32/Agent.DLEN (md5 e3e03501c795a6cc4c53df2619cadd4b).

On 20/08/10 At 02:04 PM

Bulletin Severity Rating:Critical - This security update resolves a privately reported vulnerability in Microsoft MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Bulletin Severity Rating:Important - This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Bulletin Severity Rating:Important - This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Tracing Feature for Services. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Bulletin Severity Rating:Critical - This security update resolves a privately reported vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

Bulletin Severity Rating:Critical - This security update resolves a privately reported vulnerability in Cinepak Codec. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Bulletin Severity Rating:Important - This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege due to an error in the processing of a specific input buffer. An attacker who is able to log on to the target system could exploit this vulnerability and run arbitrary code with system-level privileges. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Bulletin Severity Rating:Critical - This security update resolves six privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Bulletin Severity Rating:Critical - This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a specially crafted Web site that is designed to exploit these vulnerabilities through an Internet Web browser. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site.

Bulletin Severity Rating:Critical - This security update resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The most infected countries are:
Turkey: 1.48%
Switzerla.: 1.23%
Argentina: 0.63%
Colombia: 0.42%
Mexico: 0.33%

The most infected countries are:
Mexico: 0.66%
Costa Rica: 0.64%
Spain: 0.26%
Peru: 0.19%
Otros: 0.13%

The most infected countries are:
Costa Rica: 2.56%
Mexico: 2.06%
Argentina: 1.89%
Spain: 1.30%
Colombia: 1.26%

The most infected countries are:
Peru: 0.75%
Costa Rica: 0.64%
Chile: 0.56%
Canada: 0.53%
Colombia: 0.42%

The most infected countries are:
Mexico: 1.51%
Colombia: 0.84%
Costa Rica: 0.64%
Chile: 0.56%
Argentina: 0.47%

The most infected countries are:
Denmark: 0.93%
Otros: 0.67%
Canada: 0.53%
Germany: 0.47%
Spain: 0.43%

The most infected countries are:
Costa Rica: 0.64%
Chile: 0.56%
Turkey: 0.49%
Argentina: 0.47%
Brazil: 0.47%

The most infected countries are:
Otros: 0.94%
Norway: 0.79%
Netherlan.: 0.68%
Switzerla.: 0.62%
Mexico: 0.61%

The most infected countries are:
Turkey: 0.56%
Canada: 0.53%
Slovenia: 0.50%
Argentina: 0.47%
Spain: 0.46%

The most infected countries are:
Denmark: 0.93%
Sweden: 0.89%
Thailand: 0.81%
Germany: 0.79%
UK: 0.54%

A new Downloader.Tibs variant is spreading today thanks to massive spamming. Infected emails contains about 130-140kB long attachment, usually with name happy2008.exe, which is trojan horse itself. There are also emails with links directing users to a malicious web pages. The files are already detected as Downloader.Tibs.

In last few days we`ve registered a larger amount of PE files infected by this virus. Win32/Mabezat is polymorphic file infector which infects PE files. More information could be found in our Virus Encyclopedia.

Propagation method of new Nuwar variant is still similar to its precedessors. Spammed mails with link in IP format directs users to the worm web pages where the users are prompted to download one of the worm files with the name funny.exe. Names of other downloadable files are kickme.exe and foolsday.exe. AVG detects this threat as I-Worm/Nuwar.R.

Next Stration downloader variant spreads by email in messages with randomly generated subject and body with two attachments. PDF attachment is harmless but EXE attachment which is 18708B long is downloader itself and AVG detects it as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.

A new Trojan Downloader was spammed today. Trojan is attached in zip archive to emails in HTML format with subject "Hot game" and body text that claims some Angelina Jolie or Lara Croft undressing game. xgame.zip attachment contains xgame.exe (20992B) which drops executes and deletes kernel driver C:\WINDOWS\System32\drivers\runtime.sys and downloads another downloader smartdrv.exe. runtime.sys runs injects and hides Iexplore.exe process and downloads another components. xgame.exe is detected as Trojan Downloader.Agent.UZM, smartdrv.exe is detected as Trojan Downloader.Agent.UZN, runtime.sys is detected as Trojan Downloader.Agent.THW and other downloaded components are detected as several variants of Trojan Backdoor.Ntrootkit.

New Nuwar variant spreading method is similar to Nuwar.L last month propagation. Spammed emails are brief containing link in IP format to currently working pages with worm. Compromised page code is changed and and as a result user is prompted to download file with worm. Downloaded filename is valentine.exe it's about 110 - 130kB long and it's detected by AVG as I-Worm/Nuwar.N

We have a new wave of spammed mail messages containing link directing users to website where the worm could be downloaded. Emails contains short text and IP address of currently working pages with worm. In this case downloaded filename is withlove.exe and it's about 115kB in size. Websites and worm files changes every few minutes. AVG detects withlove.exe as I-Worm/Nuwar.L.

Latest Stration downloader spreads by email in messages with randomly generated subject and body with one EXE and one PDF file attached. EXE file is 20992B in size and it`s downloader itself which is detected by AVG as I-Worm/Stration.FJA. The file downloader tryes to download is already detected as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia.

A new Stration downloader was seeded during todays morning using mail messages where subject and body are variable and which contains two attachments, one with pdf extension and second with exe extension which is 4096B in size and it`s downloader itself. AVG detect this threat as Trojan horse Downloader.Generic6.PFM. Downloader tryes to download and install Stration to affect system, but Stration download link is no longer active. More information about Stration worm familly can be found in the Virus Encyclopedia.

This Trojan spy program is designed to steal confidential user data and remotely manage the victim machine. It is a Windows PE EXE file. It is 470 bytes in size. Installation When launched, the Trojan creates the following file: %AppData%\<name>.exe <name&gr; is chosen at random from...

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 23552 bytes in size. Installation The Trojan copies its executable file as follows: %WinDir%\system\svhost.exe In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link...

This Trojan is designed to install and launch other programs on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. It is 78848 bytes in size. It is written in C++.

This malicious program is a Windows DLL file. Installation The malware copies its executable file with random names to the following directories: %Program Files%\Internet Explorer\<rnd>.dll %Program Files%\Windows Media Player\<rnd>.dll %Program Files%\WindowsNT\<rnd>.dll %Program...

This malicious program is a Trojan. It is a Windows PE EXE file. It is 417792 bytes in size. It is packed using UPX. The unpacked file is approximately 439KB in size. It is written in C++. Installation Once launched, the Trojan copies its body to the current user’s Windows startup...

This Trojan downloads another malicious program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 9216 bytes in size. It is packed using UPX. The unpacked file is approximately 38KB in size. It is written in...

This network worm spreads via local networks and removable storage media. When it copies itself to remote computers, the worm creates a temporary file with a random extension. The program itself is a Windows PE DLL file. The worm components vary in size from 155KB to 165KB. It is packed using UPX....

First version of this worm is known from december 2008. Nowadays it has 300+ several variants. More information could be found in Virus Lab Blog.

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine. The worm itself is a Windows PE EXE file written in Visual Basic. The size of the infected file can vary significantly. The functionality described below...

EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program. Why is this harmless file detected as a virus? The file was created in order to demonstrate to...