Fighting the Global War on Malicious Code

New Blog

Rather than resurrecting this dinosaur, all new posts will be on my new Wordpress blog, "Of Bytes and Badges." Feel free to drop me a line there and let me know you've made the switch, and welcome to a badly-needed update and overhaul!

- David Oxley

posted by David @ 9:00 PM, , links to this post

Told You So -- ErrorSafe Pop-Ups Served via Ruckus

Well, listening to my morning dose of Sara Groves, I saw a familiar pop-up that I'd called coming a short while ago (look towards the end):

That's right, ErrorSafe! (If you're not familiar with the rogue AV/registry cleaner/etc. scene, such programs claim that there are a bunch of problems that need to be fixed...for a fee. They install without user consent, and have little or no real functionality). Clicking anywhere on the message (NOTE: even on the red "X" in the corner) loads the ErrorSafe install page in IE7:

...and not only that, the page then attempts to install the rogue program without user consent (in this case, Symantec caught the .cab file while it was still in the Temporary Internet Files):

I've notified Ruckus about the advertisement, but it goes to show you the perils of 3rd-party ad networks. If you don't stay on top of the ads you're serving (or someone is serving on your behalf), something like this is bound to happen.

- David Oxley

UPDATE (8/17/07): Got hit with another redirect to on Ruckus today, with two chief differences:

1) The product advertised was WinAntiVirus2007
2) The ad was Flash-based, and automatically opened the ErrorSafe page without any user interaction whatsoever.

Ugh. Ctl-Alt-Del, end-task iexplore.exe, and send Ruckus an e-mail (I've yet to hear back concerning my first experience...)

UPDATE #2 (8/17/07): Received a response from Ruckus saying that it's been cleaned. Likewise, see the comments for an apology from their senior director. I commend them on getting this taken care-of so quickly -- I'm not giving up my Ruckus anytime yet. :)

Labels: , , ,

posted by David @ 4:18 AM, , links to this post

Ruckus Ads Get a Bit Too Much...

First off, I love Ruckus. It's a free service that allows college students to download and listen to unlimited song tracks. The catch? All files are DRM-protected, time-limited (but are instantly renewed), and you have to suffer-through a single banner ad in the player. Big deal.

As we all know, though, banner ads can have their own issues. In the past, I have seen Ruckus ads try to run JavaScript, open new windows without user interaction, and run shady "You've Won -" offers. Ho-hum.

So what's new? Zango content. In particular, a steamy banner advertising:

"Anna Nicole Smith Lesbian Bathtub Sex Part I"

...classy. This is a new one to my knowledge -- porn offered by Ruckus ads?

The yieldmanager ad redirects to where, not surprisingly, the user is presented with thumbnails of several supposed porn movies featuring the late Anna Nicole Smith, with the caveat that an install of Zango's adware is in order. Being rather opposed to the stuff myself (both Zango and porn, that is), I let the ad recycle. H&R Block. That's respectable.

Needless to say, care is in order. I wouldn't be surprised to see a rogue AV scanner in there sooner than later, and sneaking IFRAMEs and exploits has been done with shady affiliate networks in the past...

- Nexus7

Labels: , ,

posted by David @ 1:47 PM, , links to this post

A Little Phish-Finding

Well, I was bored. So what does an InfoSec student do when he's bored?

Hunt phishers, of course.

First, I headed over to SiteAdvisor to try and find an active phishing site. A Wells Fargo site is being hosted on a hacked immigration-support site:


Nothing special, mind you, just your standard hacking package. After a bit of fun with the source code and Tamper Data, I found the mailer, update.php. Unfortunately, all e-mailing is handled server-side (duh), so I had to try and find the uploaded PHP file. This was made *quite* easy by the hacker(s) leaving the entire uploaded kit,, behind. Doh.

Upon extracting update.php, I found the following interesting bits:

1) A given author of "KELVINROLEX" Googling the name returns a Mobango account for a Nigerian man with the same handle. (NOTE: I am NOT saying that this is the same guy! There is no evidence of that whatsoever, save for what we know of Nigeria and scams...)

However, there *is* another link that I think is safe to assume our phisher is responsible for. Meet the "Kelvinrolex Php Mailer," a lame attempt at God-knows-what. It calls itself a "Spamer Inbox," but it seems to have no real functionality (and at version 1.5, no less). Whatever. Kelvin's phishing script isn't all that much more interesting...the guys uses Frontpage, for chrissake!

2) An e-mail addy:
This little gem returns several hits on Google. Meet David Alvin Maxwell, a nice gent who spends his time defrauding women with romance scams. I guess the photos of legit models isn't all he's stealing these days...

3) A second e-mail address:
No hits on Google, unfortunately.

Interesting part? Though Mr. Mobango is innocent until proven guilty, Mr. Maxwell is also from Nigeria. Hmmm.

Gotta love those anonymous Internets, waiting to be pillaged and plundered by techno-pirates such as KELVINROLEX and dv_max4009. Erm, Kelvin and David. From Nigeria. *grin*

- Nexus7


posted by David @ 6:57 PM, , links to this post

Apple Just Got Pwned

...and I couldn't be happier.

Microsoft Surface is here.

Need I say more?

- David


posted by David @ 6:37 AM, , links to this post

It's Been a While

I know my posts have been spotty at best -- alas, trying to keep two blogs updated is a pain-and-a-half, and thoughts of trying to consolidate them in some small way are definitely being considered. However, even when I'm not posting about malware, you can bet that I'm reading about it. Here's my Google Reader subscription list for malware blogs:

General and Misc. Malware/InfoSec:
Anti Rootkit Blog
Bits from Bill
Dancho Danchev - Mind Streams of Information Security Knowledge
ReveNews: Revenue Sharing Opinions
SANS Internet Storm Center, InfoCON: green
Security Fix
SecurityFocus News
Sick of spam? Get mad and get even: Blog

Malware Fighters:
Donna's SecurityFlash
Malware Advisor
Security Cadets
Security Garden
Spyware Sucks
The SpywareGuide Greynets Blog - A Revolution is the Solution
wng's blog

Security Vendors:
Authentium Virus Blog
F-Secure Antivirus Research Weblog
F-Secure Linux weblog
Kasperky Lab Weblog
Panda Research
Security Response Weblog (Symantec)
Spybot-S&D news

A motley crew, but I feel that I get a good sense of current happenings in the malware-fighting world from them (not too many malware authors keep blogs that I know of...). Any glaring omissions I forgot or have yet to discover, or someone in there who shouldn't be?

- David


posted by David @ 6:14 AM, , links to this post

Worms, Part 3

So...looks like Mr. Rinbot has decided to release a new version of the beastie through computers already infected with the recent Rinbot.BC variant. Symantec is supposedly detecting this one as Rinbot.BF, though the variant mentioned in the write-up is NOT the same as the recent nasty, which runs from a file named "norantivirus.exe" in the Windows\System32 directory.

File name: norantivirus.exe
File size: 252416 bytes
MD5: e0fd62d3d4c0258547690524563d8419
SHA1: a63f017a3ab3405465ba90ba5377f30674aedbd3
packers: EXECryptor

AhnLab-V32007. virus found
Authentium4.93.804.20.2007no virus found
Avast4.7.981.004.21.2007no virus found
BitDefender7.204.22.2007no virus found
ClamAVdevel-2007041604.23.2007no virus found
FileAdvisor104.23.2007no virus found
F-Prot4.3.2.4804.20.2007no virus found
Microsoft1.240504.23.2007no virus found
NOD32v2221004.22.2007no virus found
Panda9.0.0.404.22.2007no virus found
Sunbelt2.2.907.004.19.2007no virus found
TheHacker6.1.6.09504.15.2007no virus found
VBA323.11.404.21.2007no virus found
VirusBuster4.3.7:904.22.2007no virus found

In addition, it was found active on a system running a vulnerable version of Symantec Client Security, but with NEW definitions loaded -- it was not detected upon a manual scan, either. Strange. Many of the vulnerable systems have already been exploited, cleaned, and patched with the BC run, though, so this one may have a harder time of things. Until there's a new 0-day to target, and there remains one dormant backdoored system on the network...

If nothing else, this is a reminder that a backdoor on a system is not just a risk for the user -- it's a backdoor into an entire network, and, conceivably, any and every computer on it.

- David

Labels: ,

posted by David @ 7:23 PM, , links to this post

Web This Blog

About me

    I'm David From Atlanta, Georgia, United States -- I'm a Computer Science undergrad at Emory University seeking to go into Network Security after grad school. More than that, I am a follower of Christ and a Christian, living the Journey and learning from others who are doing the same. My family and home rest in Fredericksburg, VA.
    My profile


Previous Posts

Helpful Sites

Favorite Forums

Favorite Blogs

Powered By

Powered by Blogger>