Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-08-22 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 8008; Quiet Day, Thanks!; Money-Back Guarantee; Follow the Bouncing Malware VII: All That Glitters Is Not Gold

Published: 2005-08-22
Last Updated: 2005-08-23 13:28:28 UTC
by Tom Liston (Version: 1)
0 comment(s)

Port 8008

We're seeing a spike on as a result of the kidz looking for machines that are vulnerable to a recently (Mid-August) announced remote stack overflow in Novell eDirectory Server. Jus' a heads up: If you haven't patched - PATCH!

Quiet Day, Thank You!

Tap, tap, tap...

Hello? Is this thing on?

In contrast with the craziness of the past week, today was so quiet, you could hear a packet drop.

With Zotob and an IE "Zero-Day" hitting pretty much simultaneously, we've really been hoppin'. Last week, during one 24 hour period, we had over 500 emails. Combine that with trying to reverse engineer the Zotob variant of the hour, come up with an easy-to-do MSDDS.DLL fix, or deciding what to do with the Infocon, and it makes life "interesting."

Speaking of that...

Satisfaction Guaranteed, Or Double Your Money Back

For the most part, when people write in, they're kind and polite. They realize that we're just a bunch of geeks/nerds who are trying to help people out and doing it for... well... for nothing. There are about 35 ISC Handlers, and while I don't think any of us would ever claim to have the whole network security "thing" down individually, together we're pretty darned smart. When you write in and ask a question, we do our best to answer it intelligently, honestly, and without bias. We also answer it for free.

That's why it's especially disheartening to have some mental midget tee off on us about:

1) Our choice of when to raise / lower the Infocon.

2) Spelling / grammar / sentence structure.

3) When something on the site isn't working exactly how they think it should.

4) Personal attacks.

5) The grumble du jour.

When I was but a wee lad (I really was young once, and did not, despite popular legend, spring fully formed from the head of Zeus) my Grandmother always told me, "If you can't say something nice, just keep your mouth shut, you stupid little jackass."

Note: The irony of that was lost on me (amid deep psychological scars) until recently.

Therefore, to the bitter, ungrateful (and fearful - did you really need to use an anonymous remailer?) folks out there, and in the spirit of my grandmother's advice, I've decided that I will personally fund the following offer:
If you find that you're displeased in any way with the service
provided by the Internet Storm Center, we will cheerfully refund
double the amount of money that you pay us... you stupid little jackass.

You may now return to your drab, wretched lives.

Follow the Bouncing Malware VIII: All That Glitters Is Not Gold

The story thus far...

From the beginning, Man has always felt a need to document the world around him. Even the earliest proto-humans were driven to scratch marks on cave walls, and in fact, the walls of a cave in Lascaux France were decorated by their inhabitants some 20,000 years ago. Modern anthropologists have described these as primitive paintings of bulls and horses. However, ask any red-blooded modern male what he figures a cave man would be painting on the living room wall, and he'll tell you what those pictures are really all about: Broads.

Naked broads.

Really ugly, hairy, naked broads.

At the dawn of the 21st century, not much had changed. The cave-wall has been replaced with HTML, the primitive pigments with digital cameras, and... well... the broads have shed some hair in addition to their clothes.

One thing really has changed, however. Instead of simply being satisfied with a still-life, we now have the option to show pictures that move. Thus one can now find displayed on various Internet "cave walls" a plethora of on-line documentaries showing how poverty stricken (and thus, clothing-deprived) young adults huddle together and use various friction generating techniques to keep warm.

Ethel, you put your clothes on!

Even in those very early times, porn and other illicit activities probably went hand in hand. You can almost picture Ogg, the caveman, clubbing his pal Grogg, and stealing his pile of shiny rocks after inviting him over to see his etchings of Annugg Kournikovugg.

As I said, not much has changed.

Our pal Joe Sixpack recently went searching for several of the aforementioned documentaries on the Internet. That search required that he install a "codec" to increase his viewing pleasure, and the non-obvious outcome of that viewing has been documented in
and . (If you haven't read these... well, why haven't you? What, do you live under a rock? Sheesh! Go read them now. I'll wait.)

A real gentleman

While we all might be shocked and awed by the fact that Joe's computer was gettin' what the folks in Joe's movies were gettin', it might not have been all bad. It appears that someone might have, as the saying goes, bought Joe's computer some dinner first...

You see, while Joe's machine was being man-handled by others, the fine, gentlemanly folks at were, figuratively speaking, knocking on the front door, bearing a bouquet of roses and a box of candy. They're the sensitive types. They want to be Joe's friend. They know, all too well, the trials and tribulations of the modern Internet age and, by golly, they're here to help.

How you doin? I'm holdin' my own.

And so, while Joe is be-boppin' across the Internet, watching people bein' bopped, something new and different happens. While he's seen many a thing pop up on his screen over the past few minutes, a bright orange window is somewhat unexpected. (Note: The enlightened among you need to read no further. Simply from the fact that the makers of AntivirusGold chose "orange" as the color for their window, it can be inferred that they are, indeed, in league with the minions of Chaos. As the Universal Arbiter of Good Taste and quite the snappy dresser (if I do say so myself) I have, long ago, publicly declared my least favorite color, orange, as representative of Nameless Evil.)

In any case, the appearance of a window bearing the hues of the-color-that-shall-not-be-named catches Joe, who is otherwise occupied, a bit off guard:

"Welcome to the AntivirusGold 2.0 Setup Wizard"

Were Joe more of an active participant in this little mise-en-scene, the leap to thoughts of viruses might be a less jarring of juxtaposition. As things stand, however, virus "protection" isn't foremost in Joe's thoughts, and with his free hand, he clicks through the Evil-colored windows trying to return to his previously scheduled programming.

Joe agrees to the program's license, lets the installer chose the directory where the files will go, and then, happily clicks on "Install," hoping to be done with this whole sordid mess and return to the business... uh... at hand.

But, when another, even more evil-colored window pops up, declaring that his now freshly scanned computer is infected with spyware, Joe decides that perhaps it's time he found a new hobby. Luckily for him, this wonderful, new-found antivirus program that seemed to have been magically installed on his machine had not only warned him about the spyware, but it was now offering to remove it for him...

Oh, joy!

Goin' for Gold

AntivirusGold showed up on Joe's machine as avg.exe, 2,663,231 bytes of NullSoft installer goodness. (Note: AntivirusGold should not be confused with AVG Antivirus by Grisoft. Through an unfortunate coincidence of naming, they sound a whole lot alike. They aren't. The folks at Grisoft are good people, and I don't want any confusion about names to lead anyone to think otherwise.)

When an installer weighs in anywhere over 2MB, you gotta figure that what's going to come out the other side may not be too pretty. AntivirusGold certainly doesn't disappoint. The programmer in me could spend quite a few paragraphs enumerating the slipshod results of unintelligent software engineering, but let's just leave it at this: I have about as much respect for their programming talent as I have for their taste in color.

"So it's another poorly written piece of software," I hear you cry. "If that was a crime, Redmond would be a penitentiary."

"True," I reply, "and if these folks stopped there, then I would only make fun of them behind their backs, like I do to Microsoft."

The problem is, they don't stop there.

You see, AntivirusGold is a nasty little lying piece of software.

What did you say, Tom?

"A nasty little lying piece of software."

Got it now?

AntivirusGold does indeed act something like antivirus software. It scans through registry entries and cookies looking for the likes of Gator, Bonzi Buddy, et al. It looks through the filesystem and tries to find programs that match up (by filename only, not any type of signature) with a list of "known bad" files.

If it stopped there, then it would simply be a poorly written, ineffective spyware/virus scanner.

But there's more.

When it gets all done doing its scan, it tells you what it found and offers to remove it for you. Just like every other spyware/virus scanner...

But this one does it for a price.

Yes, you see, AntivirusGold pops up a window telling you "You are infected!", and offers to remove the "spyware" that it found. But when you click on the "Remove spyware" button, rather than removing something, it only offers you the option to register the program to the tune of $29.95.

The implication is obvious: "I found something bad on your machine, and it'll cost you three sawbucks to get it gone."

And what, pray tell, did AntivirusGold find that required removal and made it worth my hard-earned $29.95?


Absolutely nothing.

Using monitoring software, I watched as AntivirusGold scanned my machine.

I watched it looking for registry entries.

I watched it looking for cookies.

I watched it looking for files.

It didn't find a thing. Every query that it made for a cookie, a registry entry, or a file came back empty.

Now it's not exactly surprising that it didn't find anything. You see, AntivirusGold was running on a fresh, clean, brand-spankin' new install of Windows XP Home Edition that had never been used and never connected to the Internet.


The only non-default software on the machine was AntivirusGold itself.

And yet, I was "infected" with "spyware."

The astute reader may draw their own conclusions.


Handler on Duty - Tom Liston, Intelguardians
0 comment(s)
Diary Archives