Review

It’s time for your daily dose of “spot the fake program / avoid the fake program”. What is it this time? Well, if you have family members who are into webcams and chatting you might want to point them to this writeup because a new challenger has entered the ring: Yes, “Chat Cam” is a rather smart looking (and entirely fake) program designed to make end users think they’re taking part in a large community of webcam owners. Clearly, the creator had the recently launched Chatroulette in mind when they made this one (if you’re not familiar with it, Chatroulette is a site where you jump from webcam chat to webcam chat over and over again, all within one large community of strangers. In practice, you tend to mash the “Next” button endlessly as one “chat” after another fails to materialise). This is what Chatroulette looks like – you’ll notice the similarity as we move further into the writeup: ...

It’s been over a year since we first started seeing the familiar Windows XP My Computer page where it appears your drives are being scanned and it reports a bunch of non-existent malware on your computer. Yesterday I was investigating the latest hot news item where there was a FAMU (Florida Agricultural and Mechanical University) sex tape released on the internet and sure enough I found many SEO poisoned links claiming to have the video. Imagine my surprise when I saw the following. ...

Readers may well have read some of the news stories posted after yesterday’s news concerning the take down of the “Mariposa” botnet. So what is Mariposa? Mariposa is the name given to a particular botnet that started getting some attention during the first half of 2009. The botnet was dubbed Mariposa thanks to the name of one of the C&C servers that is used: butterfly dot sinip dot es since Mariposa is the Spanish word for butterfly. ...

“…in that space one can easily indulge in depravity, lies, vulgarity…” Here’s a sort of comment about the Internet that you don’t see much in the news. The Russian government news service RiaNovosti is reporting that Patriarch Kirill of Moscow and All Russia (head of the Russian Orthodox Church), told school students in Moscow that “Nowadays the Internet is a kind of laboratory where an individual should be formed and where a character should be sharpened.” ...

Right! A site registered in the state of “Taliban.” You’re really going to go to a site with this registration: Nice work SANS. Thanks to Daniel Wesemann at SANS: http://isc.sans.org/diary.html?storyid=8350

Criminals like to attack the biggest target because BIGGER generally provides a better Return On Investment (ROI). Windows is a good example. Mac is indeed safer than Windows but it isn’t necessarily because Mac is more secure. Windows has a larger market share and that equals more potential victims. How about search engines? What is the biggest search engine on the block? Google — and the bad guys know it. The result? ...

Last month, Baidu, the leading search engine in China, filed suit against US-based Internet registrar Register.com, in a legal event that took place at the height of the debate over Google’s continued business dealings with China. Baidu accused the registrar of changing its DNS records, so that customers were redirected to a completely different site purporting to represent the “Iranian Cyber Army.” But that original suit was heavily redacted, so we didn’t know the specifics of the alleged defacement. This week, US District Court in New York released the unredacted version of Baidu’s complaint, and now, as the man once said, we know the rest of the story. ...

In Additional to my last Post: http://boelectronic.blogspot.com/2010/03/free-fakeav-at-virus-total-thats-not.html VirusTotal.com [http://en.wikipedia.org/wiki/VirusTotal.com] is a brilliant site that helps both public and researchers alike determine if an executable file they have is potentially malicious or not. Julio Canto (of VirusTotal fame) has noticed that somebody decided to cash in on the good name of the site with the following domain: virus-total(dot)in Go there, and you’ll see a message claiming the site is a “free online antivirus scanning service, click SCAN to begin scanning:“ ...

Are malware authors and spammers suffering from the same affliction of “word salad“, or are they perhaps devoted students of Afringlish? Why else would one combine random words in an attempt to look legitimate? The reason is a simple one – not only are humans good at associating meaning to names, they are also exceptionally good at filling in the blanks, while machines are not. Thus, by carefully selecting particular names for insertion into the version information of malware samples, such as those of reputable software houses, the authors attempt to exploit this human condition. Presumably, they also hope to bypass security scanners which approve files based on such superficial attributes. ...

We’ve been seeing a gradual shift in malicious PDF file coding (no surprise there, we know malware authors can and do adapt their techniques). For a long time, we saw malicious PDF files that were simple enough to allow us to readily decipher the intent of the malicious code — shell code, download/execute, drop and load, et cetera. Now we’re seeing more and more complex obfuscation being used, which requires us to break down the PDF file. This can make an Analyst’s daily life more miserable or interesting, especially as the obfuscation can bypass automated analysis tools and even AV detectors. ...