Newsfeed
Nachrichtenbote
Error Check System: As we pointed out in yesterday's post, the timing of the Facebook "Error Check System" application and the subsequent Google search results pointing to rogue antivirus sites was almost too perfect to be a coincidence.
It's entirely possible that the whole situation was designed to promote XP Antivirus variants such as "Antivirus 360" and "XP Police" (Rogue:W32/XPAntivirus). That's the formula, create something that spawns a search, then be ready to provide results that redirect to malicious sites.
Either that or the bad guys are very quick on their feet and are ruthlessly opportunistic… They're both.
Let's take a look at some other recent examples.
Kenny Glenn: Just over a week ago, on February 15th, an anonymous teenage boy abused a cat called Dusty and posted video on YouTube.
The Dusty video rapidly ignited a vigilante campaign and three hours later the boy was identified as Kenny Glenn from Lawton, Oklahoma. The local Sheriff was called in and Dusty was removed from the boy's home.
But things went further still: Facebook groups were formed calling for Glenn's punishment; Glenn's MySpace page was defaced; the family's personal information was posted online; and the Glenn Oil Company website, owned by Glenn's father, was hacked.
When it occurs, this type of Internet vigilantism moves very quickly and soon takes on a life of its own. That then starts the news cycle and presents an opportunity for abuse.
While following the Dusty story ourselves, we read this post from blog.SpywareGuide.
Rogue vendors attempted to capitalize from the growing interest in the Kenny Glenn meme and searching for Glenn directed to rogue sites. Here's a screenshot of the Google search results for "kenny glenn cat" from last Thursday:
The highlighted freewebs.com result redirected to a site that attempted to push XP Police.
The SpywareGuide blog was posted on Wednesday; our search 24 hours later still yielded rogues.
Testing the XP Police site with a Mac demonstrates just how bogus these scams are:
Images: 1, 2
Now obviously the bad guys didn't know in advance that Kenny Glenn would abuse poor Dusty. They were just taking advantage of the situation and jumped into action.
But are there situations where rogue affiliates have created opportunity? Yes there are…
Parking Tickets: That's right, Parking tickets in North Dakota.
SANS blogged about it earlier this month.
Some North Dakotans found a yellow ticket on their windscreen reading:
• "PARKING VIOLATION This vehicle is in violation of standard parking regulations".
That sounds kind of familiar.
The supposed ticket then instructed the victim to visit a website where the driver could:
• "view pictures with information about your parking preferences"
To view the pictures, a toolbar needed to be installed, that then pushed rogues at the victim.
The BBC reported on it here.
Microsoft: Last October, Microsoft and Washington state started suing scareware purveyors. There are also some recent cases in which rogue bank funds were seized. Perhaps that's a good start, but it isn't nearly enough. The real bad guys aren't scared.
How's this for bold?
Many XP Antivirus variants hamper analysis by checking for an Internet connection. Our test networks need be configured to provide the expected reply if we want to automate our analysis.
And what page does the rogue check for?
• http://update.microsoft.com/windowsupdate/v6/thanks.aspx
The XP Antivirus gang has been doing this for some time now… seems to us like a slap in Microsoft's face.
We would like to see Microsoft slap them back. Using a hammer. On 24/02/09 At 04:55 PM
Weiterlesen...
It's entirely possible that the whole situation was designed to promote XP Antivirus variants such as "Antivirus 360" and "XP Police" (Rogue:W32/XPAntivirus). That's the formula, create something that spawns a search, then be ready to provide results that redirect to malicious sites.
Either that or the bad guys are very quick on their feet and are ruthlessly opportunistic… They're both.
Let's take a look at some other recent examples.
Kenny Glenn: Just over a week ago, on February 15th, an anonymous teenage boy abused a cat called Dusty and posted video on YouTube.
The Dusty video rapidly ignited a vigilante campaign and three hours later the boy was identified as Kenny Glenn from Lawton, Oklahoma. The local Sheriff was called in and Dusty was removed from the boy's home.
But things went further still: Facebook groups were formed calling for Glenn's punishment; Glenn's MySpace page was defaced; the family's personal information was posted online; and the Glenn Oil Company website, owned by Glenn's father, was hacked.
When it occurs, this type of Internet vigilantism moves very quickly and soon takes on a life of its own. That then starts the news cycle and presents an opportunity for abuse.
While following the Dusty story ourselves, we read this post from blog.SpywareGuide.
Rogue vendors attempted to capitalize from the growing interest in the Kenny Glenn meme and searching for Glenn directed to rogue sites. Here's a screenshot of the Google search results for "kenny glenn cat" from last Thursday:
The highlighted freewebs.com result redirected to a site that attempted to push XP Police.
The SpywareGuide blog was posted on Wednesday; our search 24 hours later still yielded rogues.
Testing the XP Police site with a Mac demonstrates just how bogus these scams are:
Images: 1, 2
Now obviously the bad guys didn't know in advance that Kenny Glenn would abuse poor Dusty. They were just taking advantage of the situation and jumped into action.
But are there situations where rogue affiliates have created opportunity? Yes there are…
Parking Tickets: That's right, Parking tickets in North Dakota.
SANS blogged about it earlier this month.
Some North Dakotans found a yellow ticket on their windscreen reading:
• "PARKING VIOLATION This vehicle is in violation of standard parking regulations".
That sounds kind of familiar.
The supposed ticket then instructed the victim to visit a website where the driver could:
• "view pictures with information about your parking preferences"
To view the pictures, a toolbar needed to be installed, that then pushed rogues at the victim.
The BBC reported on it here.
Microsoft: Last October, Microsoft and Washington state started suing scareware purveyors. There are also some recent cases in which rogue bank funds were seized. Perhaps that's a good start, but it isn't nearly enough. The real bad guys aren't scared.
How's this for bold?
Many XP Antivirus variants hamper analysis by checking for an Internet connection. Our test networks need be configured to provide the expected reply if we want to automate our analysis.
And what page does the rogue check for?
• http://update.microsoft.com/windowsupdate/v6/thanks.aspx
The XP Antivirus gang has been doing this for some time now… seems to us like a slap in Microsoft's face.
We would like to see Microsoft slap them back. Using a hammer. On 24/02/09 At 04:55 PM
Weiterlesen...