A user contacted me through ***Dave to let me know he was seeing extra content in SEB entries that didn’t look like it belonged there. He sent along a screenshot and a copy of the HTML source and, yep, there appeared to be extra paragraphs with spam links being inserted among the other text.
Here’s the screenshot:
Click to enlarge (ha!).
Awhile back there was some WP hacks going around (mainly through compromised plugins) that would insert hidden spam into a template that only showed up when you did a Google search for the blog in question, but otherwise didn’t show on the live site itself. This, however, appears to be something totally new.
I’ve checked SEB pretty thoroughly and it doesn’t appear to be anything generated here. The reader who reported the problem has since followed up saying that it only happens on his work laptop and not his personal machines at home. ***Dave also verifies that he doesn’t see it on any of his machines. I check SEB on a number of different PCs and smartphones regularly and I’ve never seen this happen so I’m assuming it must be something on the user’s laptop, but he says it only happens when he views SEB which seems oddly specific.
I can’t find anything on Google that seems to match this odd situation so I’m turning to you guys to see if anyone else has experienced this with SEB or something similar with some other site. Anyone else seeing this happen or know anything about a possible hack or virus that could cause it? Let us know in the comments.
We all have that one friend/relative/client who seems to get infected with some form of virus or malware every week and those of us who take on the task of cleaning up their PCs every time they do always tell the same joke: This wouldn’t happen if you’d stop visiting all those porn sites.
The average number of threats found on religious sites was 115 mostly fake antivirus software. By contrast, pornographic sites had less than a quarter, at around 25 threats per site. Of course, the number of pornographic sites is vastly greater than religious sites.
According to Greg Day, Symantec’s security CTO for Europe, the Middle East and Africa, while trojans may seem more serious, “if you have installed fake AV you may think you are protected, when in reality you are open to all sorts of attacks.”
This does make a certain bit of sense when you think about it. A lot of religious websites are set up and maintained by church people with varying degrees of computer skills whereas most successful porn sites are run by people who know what they’re doing and how to secure their platforms. No one thinks the asshats who put malware out on the net are going to bother with some piddly-ass church site so there’s less concern about updating software or locking down server access even if the person running it has a clue how to do those things. From the hacker’s point of view, however, every PC infected is one more PC in the botnet that can send out spam/DDoS attacks/whatever. A lot of attempted hacks are automated with scripts these days so if it’s trivial to hack a site and install your malware it’s worth doing so even if it only nets you a handful of PCs. Not like the hackers themselves even have to think about it.
Which is why you should always wear a condom when you go to religious websites. You know, just to be safe.
I got an email from an SEB regular about an email they got to check their PC to see if it’s infected that directed them to DCWG.org. She wanted to know if it was legit or a scam. I checked it out and wrote back and I thought the info would be useful for others so here’s her original email followed by my reply:
Subject: dcwg scam
Not hate mail, but a query: Is this dcwg.org computer checking site that the FBI is sending us to legit?
You’re the only computer guy I “know” [and not in the biblical sense!]
If you were sent a notice from your ISP I’d take it seriously and run a couple of the tests to verify. This is a nasty rootkit that modifies what DNS servers you connect to to resolve domain names (it’s how you get from typing in stupidevilbastard.com to an IP address the computer can understand which for SEB would be 22.214.171.124). The rootkit modifies the hosts file on your PC and can, apparently, even modify some home routers as well (especially if you never changed the default password). One clear sign is if your antivirus software has been disabled, but check the links for more info. It appears it’s the Alureon rootkit which you can read more about at Wikipedia: http://en.wikipedia.org/wiki/Alureon
Don’t panic too much. Even if you are infected and lose connectivity in July your PCs can be fixed. The reason they’re working now is the FBI has seized the rogue DNS servers and replaced them with non-naughty ones, but they’re not going to keep them running forever. When they shut them done in July your PC won’t be able to resolve domain names. It’s not that you’re not connected to the net, just that you’d be limited to typing in IP addresses like the one I gave you for SEB. That bypasses DNS altogether.
Bought a Samsung computer recently? Might want to run a malware check on it as it appears they may be intentionally installing a keylogger on it without telling you. Security consultant Mohamed Hassan has written an article for Network World that explains how he discovered the software on two new Samsung computers he purchased:
While setting up a new Samsung computer laptop with model number R525 in early February 2011, I came across an issue that mirrored what Sony BMG did six years ago. After the initial set up of the laptop, I installed licensed commercial security software and then ran a full system scan before installing any other software. The scan found two instances of a commercial keylogger called StarLogger installed on the brand new laptop. Files associated with the keylogger were found in a c:\windows\SL directory.
According to a Starlogger description, StarLogger records every keystroke made on your computer on every window, even on password protected boxes.
Hassan removed the software and continued on his merry way until some system trouble prompted him to return the laptop and purchase another higher-end Samsung from a different store. When he got home he found that it also had the StarLogger software on it:
Again, after the initial set up of the laptop, I found the same StarLogger software in the c:\windows\SL folder of the new laptop. The findings are false-positive proof since I have used the tool that discovered it for six years now and I am yet to see it misidentify an item throughout the years. The fact that on both models the same files were found in the same location supported the suspicion that the hardware manufacturer, Samsung, must know about this software on its brand-new laptops.
Once might have been an anomaly, but twice makes it pretty clear that this was by design. Given the fiasco with the Sony BMG rootkit a couple of years back you’d think Samsung would know better than to pull something like this, but, just like Sony before them, they tried to claim no knowledge of the software:
On March 1, 2011, I called and logged incident 2101163379 with Samsung Support (SS). First, as Sony BMG did six years ago, the SS personnel denied the presence of such software on its laptops. After having been informed of the two models where the software was found and the location, SS changed its story by referring the author to Microsoft since “all Samsung did was to manufacture the hardware.” When told that did not make sense, SS personnel relented and escalated the incident to one of the support supervisors.
The supervisor who spoke with me was not sure how this software ended up in the new laptop thus put me on hold. He confirmed that yes, Samsung did knowingly put this software on the laptop to, as he put it, “monitor the performance of the machine and to find out how it is being used.”
In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners.
Yeah, that’s a bullshit answer. Keyloggers don’t monitor performance, they monitor your fucking keyboard. Hence the name KEYLOGGER. This particular keylogger is also capable of taking screenshots and emailing them along with the captured data without you ever knowing about it. Imagine buying a brand new computer and doing some online shopping or banking without knowing that it’s recording everything you type and sending it back to the manufacturer. Well, some of you probably don’t have to imagine that happening to you.
I can’t think of a single legitimate reason for Samsung to be capturing that kind of data. What are they really using it for? How are they securing it? How long are they keeping it? What makes them think this is even remotely legal?
This is particularly annoying as I like a lot of things Samsung makes, the LCD monitors on my desk are from Samsung. I don’t own any computers made by them and I’ll definitely think twice before picking one up. The only question now is how long before the class action lawsuit is filed.
[Updated 9:35AM 3/31/11] Samsung didn’t waste anytime looking into this and it appears that they may be the victim of a false positive according to this article at CrunchGear:
Word comes from Samsung’s official Korean language blog, Samsung Tomorrow, that the company was able to recreate the incident and a keylogger is not on a factory-fresh notebook. The company states that the VIPRE security software used by the original whistleblower mistakenly reports the Microsoft Slovene language folder (c:\windows\SL) as the commercially available Starlogger keylogger. See the screenshot above for the proof — or if you have a R525 or R540 notebook, recreate the test yourself. As it sits right now though, it seems Samsung didn’t follow Acer’s lead and ship infected notebooks.
This is good news indeed. I can imagine Samsung wanted to nip this potential PR disaster in the bud as quickly as possible.
Meanwhile back in the Windows ‘verse all the anti-virus and system patches in the world won’t make a bit of difference if no one bothers to actually apply them to their systems. A new malware package known as Conficker has been making sudden gains on systems across the net taking advantage of a vulnerability in Windows that was patched months ago. This prompts Joel Hruska over at ArsTechnica.com to ponder whether critical updates should be forced onto systems:
Microsoft issued a patch for MS08-067 on October 23 and rates the severity of the flaw as “Critical.” for all previous versions of Windows 2000, XP, XP-64, and Server 2003. Windows Vista and Windows Server 2008 are apparently less vulnerable; Microsoft’s aggregate severity rating for these two operating systems is “Important.”
There’s a story within the rise of Conficker that I think is worth exploring. Microsoft appears to have dealt with this issue in textbook fashion; the company issued a warning, released a patch, and (presumably) rolled that patch into November’s Patch Tuesday. A significant amount of time—five to six weeks—has passed since Microsoft released its fix, yet PC Worldreports Conficker may have already infected as many as 500,000 systems.
It would be extremely fascinating to see data on how a patch spreads throughout the Internet once released by Microsoft as well as information on whether or not the severity of any particular flaw affects how rapidly users move to apply the patch. Events like this this raise the question of whether or not Microsoft should have the capability to push critical security updates out to home users automatically, regardless of how AutoUpdate is configured. I say home users for a reason; businesses and enterprise-class companies may still need to deploy the patch on a specialized timeline in order to ensure servers stay operational.
The idea of mandatory updates is unpopular with a lot of folks, myself included, but there’s a fair argument to be made here. Microsoft takes a lot of shit for having major holes in their OS, but a lot of those holes are patched within a reasonable time upon their discovery. Those patches don’t do any good if they’re not applied and the average PC user is not a technical support guy like me and probably won’t even be aware that he needs to apply patches, but he won’t hesitate to blame Microsoft if he gets infected. At the very least I could see an argument for setting the option for critical updates to be installed automatically as the default with the option to turn it off for folks who know what they’re doing. We already have a number of different software packages, mostly DRM systems, that update themselves automatically whether the user wants them to or not and a lot of folks seem to have no problem living with that situation (the rest of us just don’t use that software). I see a much stronger argument that can be made for Microsoft doing the same with critical updates than any DRM system.
The problem of unpatched systems has gotten bad enough that back in 2005 some ISPs started blocking infected systems from using their services and others have been breaking Internet protocols in controversial ways to try and combat the problem, but the best offense is a good defense and that means individual users keeping their systems patched and running current anti-virus software. The question then becomes: Should Microsoft be allowed to at least force the critical updates on its users?
Just got off the phone with my Dad after trying to diagnose a possible virus on his computer. Every time he starts up Firefox it goes nuts saying there’s a virus incoming and to abort the connection. We set up a Remote Assistance so I could see what was going on and indeed every time he tried to go to his homepage he got a virus warning. That homepage just happens to be Yahoo.com. Here’s the popup he was getting:
Seeing that there was something being appended to the end my first stop was to see what his homepage was configured for in his browser. Sometimes when you install malware on your system it’ll change the default webpage of your browser so it can install even more junk, but pulling up the options screen it was clear that last bit wasn’t part of the URL. That seemed odd so on a lark I tried to pull up Yahoo myself and, sure enough, my Avast went nuts warning me of a virus and showing the same URL. I’m pretty sure both our PCs aren’t unknowingly infected with the same virus so the only logical conclusion is that it must be coming from Yahoo! directly. Either they’re trying to pull something over on their users or their servers have been hacked.
Anyone else experiencing the same thing at the moment? Dad says it was fine earlier today and there’s nothing on any of the tech sites I frequent about it so it must be something that’s happened only recently.
Update: It appears that it’s a false positive with Avast. Manually telling it to update the .dat files cleared up the issue.
If you’ve never gotten around to changing the default password on your home Internet router, and there’s a lot of you who haven’t, then you should go change it right now. There’s a new trojan making the rounds that’s really bad news:
A new Trojan horse masquerading as a video “codec” required to view content on certain Web sites tries to change key settings on the victim’s Internet router so that all of the victim’s Web traffic is routed through servers controlled by the attackers.
According to researchers contacted by Security Fix, recent versions of the ubiquitous “Zlob” Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim’s domain name system (DNS) records so that all future traffic passes through the attacker’s network first. DNS can be thought of as the Internet’s phone book, translating human-friendly names like example.com into numeric addresses that are easier for networking equipment to handle.
[…] The type of functionality incorporated into this version of the Zlob Trojan is extremely concerning for a number of reasons. First, Zlob is among the most common type of Trojan downloaded onto Windows machines. According to Microsoft, the company’s malicious software removal tool zapped some 14.3 million instances of Zlob-related malware from customer machines in the second half of 2007.
The other, more important reason this shift is scary is that a Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Few regular PC users (or even PC technicians) think to look to the router settings, provided the customer’s Internet connection is functioning fine.
Checking router settings is certainly not one of the things I think to do when cleaning up an infected machine as this is a first as far as anyone knows. You can bet it’ll be something I consider looking at from now on, especially if I know the user in question doesn’t know anything about DNS routing. You should always change the default password on your router along with, if possible, the username of the administrator account itself. Attackers don’t have to have physical access to your machine to attack your router any longer.
Once it became clear that there was big money to be made in malware it was only a matter of time before it started getting really sophisticated and some of the worst of the worst are being developed in China:
An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games – and its designers might have larger targets in mind.
“It is a nasty worm that has a great deal of intelligence,” said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse.
The virus, which Computer Associates calls Mocmex, recognizes and blocks antivirus protection from more than 100 security vendors, as well as the security and firewall built into Microsoft Windows. It downloads files from remote locations and hides files, which it names randomly, on any PC it infects, making itself very difficult to remove. It spreads by hiding itself on photo frames and any other portable storage device that happens to be plugged into an infected PC.
The authors of the new Trojan Horse are well-funded professionals whose malware has “specific designs to capture something and not leave traces,” Grayek said. “This would be a nuclear bomb” of malware.
In fact quite a few people found themselves infected with this and several other trojans after plugging in digital picture frames they got for Christmas:
The initial reports of infected frames came from people who had bought them over the holidays from Sam’s Club and Best Buy. New reports involve frames sold at Target and Costco, according to SANS, a group of security researchers in Bethesda, Md., who began asking for accounts of infected devices on Christmas Day. So far the group has collected more than a dozen complaints from people across the country.
The new Trojan isn’t the only piece of malware involved. Deborah Hale of Sans said the researchers also found four other, older Trojans on each frame, which may serve as markers for botnets – networks of infected PCs that are remotely controlled by hackers.
There’s at least one part of this article that I’m sure will delight owners of Macs and Linux based PCs:
Deborah Hale at SANS suggested that PC users find friends with Macintosh or Linux machines and have them check for malware before plugging any device into a PC.
Let the gloating begin.
Things are likely to get worse before they get better as the malware authors are pumping out new code at a pace fast enough that the anti-virus companies are having trouble keeping up. According to Prevx there are already 67,500 variants of the trojan talked about in the article. Right now it appears this trojan only steals passwords to some MMORPGs, but it’s thought that it’s a test run in preparation for something more insidious.
IBM Internet Security System’s X-Force has released its annual report (PDF) on malware trends and statistics from last year. 2007 saw some significant changes in malware distribution, and there’s reason to think that some of these shifts mark the beginning of new attack patterns rather than small abnormalities. The following are some of the highlights from the report:
Reported vulnerabilities in 2007 were down five percent compared to 2006, but the number of those vulnerabilities that were classified as severe rose by 28 percent.
Microsoft, Apple, Oracle, IBM, and Cisco reported the most vulnerabilities, but collectively account for only 13.6 percent of all reported vulnerabilities.
90 percent of the 2007 vulnerabilities were exploitable from a remote location, up 1 percent from 2006
Most in-the-wild exploits are being generated by web toolkits. Prevalence of these toolkits has risen dramatically since they appeared in 2006.
There’s a couple of things in the report that stood out to me. The first being that, contrary to what most people seem to believe, Microsoft products aren’t miles and away worse in terms of security than those of Apple, Oracle, IBM, and Cicso. Of those top 5 vendors a good 80% of the known vulnerabilities have been patched and while that still leaves 20% of them unpatched, that’s still a boatload better than the 50/50 ratio that everyone else tends to have.
The second thing that stood out is the fact that the percentage of exploits that could be accessed remotely jumped from 43.6 percent in 2000 to 89.4 percent this year. That’s huge and shows just how valuable taking over your PC has become to these people:
Trojans were the overall darlings of the year, accounting for 26 percent of all malware distributed. Worms, adware, viruses, and downloaders also grabbed significant chunks of the pie, while keyloggers, rootkits, and spyware all were all confined to small pieces of the market. Trojans were also responsible for the largest number of malcode additions in 2007—a total of 109,246 new Trojans were detected in 2007, compared to 64,173 worms, 55,873 adware programs, and 48,889 viruses.
Those numbers are staggering, though it helps to keep in mind that a lot of these programs are variations on a theme as each hacker modifies the code to try and avoid detection and/or adapt it to their specific goals. It all should act as a reminder of the need to keep your anti-virus software up to date, make use of a decent firewall, and be very careful about knowing exactly what you’re installing on your PC. Some of the more recent, but less successful, exploits have tried to spread themselves through PDF and MP3 files. While some of the most successful exploits are the fake media codecs from sites that tempt you with some outrageous or titillating video that requires you to install a media codec you’ve never heard of before you can watch the clip. When you do you’re suddenly infected with malicious downloader or spyware.