Crashed Pips - Computers, politics, emetic trash

Monday, August 4, 2008

What’s Wrong With This Scanner?

Filed under: Security — Tags: , , — Jonathan Rothwell @ 02:22

I’ve just been told my C: drive is infected by errors in all the .dll files by a free online error and virus scanner I found on the Internet! OMG OMG OMG!

What makes this particularly amazing is that the scanner claims to have found viruses on the C: drive - when there is no C: drive (I’m on the Eee at the moment running Ubuntu). See what I’m getting at here?

However, people do get taken in by these things. I’ve seen it happen before where the Messenger Service in Windows XP has been hijacked, and gullible/inexperienced users have listened to the message, no questions asked. Of course, they don’t read the EULA (who does? they say.)



Saturday, September 8, 2007

Honeypot Experiment #1 - screensavers.com

Filed under: Uncategorized — Tags: , , , , , , — Jonathan Rothwell @ 18:35

So, the Crashed Pips honeypot set up and ready, the first experiment took place. Using a certain search engine and a known supplier of malware.

Honeypot The honeypot takes forever to boot - virtual machines are generally very slow and resource-intensive on the rest of the system. Windows took around ten minutes to get to a usable desktop.

Honeypot #1 - usable desktop

The usable desktop, before the infectofest started. And now we bring you coverage of experiment #1 - how easy it is for an inexperienced computer user to infect their machine using only Microsoft’s own search engine.

Honeypot #1 - MSN

Alarm bells should immediately start to ring at this point - in this case, an outdated version of Internet Explorer is being used, there is no antivirus software (see the system tray’s Windows Security warning) and the fictional user is now going to look, using Windows Live Search, for a screensaver for his/her new setup.

Honeypot #1 - Search results

The first organic result here is for screensavers.com, which, according to a SiteAdvisor report, is a distributor of adware and spyware.

So, taking the position of the gullible computer user, here’s the download page for the Matrix screensaver.

Honeypot #1 - Download page

‘Virus checked’ and ‘Spyware checked’ are visible below the ‘download’ link. Lies. Lies. Lies. As indicated by the next page:

Honeypot #1 - Starware offer

Uh-oh! Starware is a known spyware distributor, and to an inexperienced computer user this would appear to be quite a good software package. Note that the installer (even without the toolbar) automatically dumps an ‘affiliate shortcut’ on your desktop (essentially an invitation for spam galore).

Honeypot #1 - Install complete

After the install is complete, you are offered these (seemingly good) options.

Not so. The search engine actually uses your searches to create an advertising profile that helps ads to be delivered (outside the browser) that you are more likely to respond to. It isn’t like Google or most other search engines, which use the search data to optimise the searches. These are used to make you easier to sell to.

And this was just the Starware toolbar that was actually installed.

Honeypot #1 - Install really complete

Aha! The screensaver has finally been installed, after a magnitude of bogus free offers and all sorts of other junk. And we’ve now effectively opened up the honeypot to other spyware/adware etc.



Wednesday, September 5, 2007

The Crashed Pips Honeypot Experiment

Filed under: Uncategorized — Tags: , , , , , , — Jonathan Rothwell @ 19:24

A honeypot is a computer (or virtual computer) designed to catch all those internet nasties that you’d normally want to avoid - so that people can be educated on what they do and how to avoid them, and to study them and find out which ports they use, what files they’re reading that they shouldn’t be etc.

So, with that settled, I can now announce the Crashed Pips Honeypot Experiment 2007. Over the next 30 days, I shall be making occasional posts updating you on the results of the experiment. I may even prepare a report/conclusion at the end.

What is the machine’s setup?

The machine’s a Virtual PC setup using 128mB of RAM and a 15gB hard disk (more than adequate for this purpose). It will be running an installation of Microsoft Windows XP Professional without any security software installed whatsoever apart from what is built directly into the operating system - in this case, nothing more than a firewall. Windows Update warnings will also be ignored.

How will you hose the machine?

I will visit certain websites, and leave ports open deliberately in an attempt to lure viruses, spyware etc into the honeypot. I also intend to follow spoof virus warnings that lead to spyware, and to install certain software that is known to contain advertising and spyware.

How realistic is this experiment? Could I cite it in a paper?

There is no way that this experiment could be called realistic, because a special effort is being made to infect the machine with as much malware as possible. This will therefore make the test wildly unrealistic and inaccurate. If you’re quoting this in a scientific paper or anything serious, you’re a Cornish sardine.



Tuesday, May 8, 2007

The google/goggle.com video

Filed under: Uncategorized — Tags: , , , , — Jonathan Rothwell @ 19:15

This viral video, which has lately been doing the rounds on Youtube, is a classic “doomsday” video of how your computer will die if you visit a certain web site - in this case, goggle.com, a mis-spelling of google.com.

Now, I decided to see if “goggle.com” really existed, because I doubt the consequences would be too diabolical. This would be because

  1. I’m using Firefox
  2. I’ve got Javascript switched off by default, which is normally how these attacks are sprung.

At first sight, the web site should start to ring alarm bells as not being Google’s home page.

Fake Google homepage (goggle.com)

Other important points to note:

  1. McAfee SiteAdvisor lists the site as red, meaning “use extreme caution”.
  2. NoScript has blocked some kind of script. These days it’s not that unusual as practically every web page triggers some javascript, but combined with the fact it’s not Google and that SA has listed the site as red, it is suspicious.
  3. There is an asterisk after the words “free” and “click here to claim” - but no matching footnote.

The space in the top-right hand corner was obviously meant to be occupied by a countdown timer, and a quick inspection of the javascript reveals:

<SCRIPT LANGUAGE="JavaScript" SRC="http://www.fluxads.com/goggle/slider.js"></SCRIPT>
<script>

var popunder="http://ads.trekdata.com/flux/insane0220.html"

var winfeatures="width=800,height=1000,scrollbars=1,resizable=1,toolbar=1,location=1,menubar=1,status=1,directories=0"

var once_per_session=1

function get_cookie(Name) {
  var search = Name + "="
  var returnvalue = "";
  if (document.cookie.length > 0) {
    offset = document.cookie.indexOf(search)
    if (offset != -1) { // if cookie exists
      offset += search.length
      // set index of beginning of value
      end = document.cookie.indexOf(";", offset);
      // set index of end of cookie value
      if (end == -1)
         end = document.cookie.length;
      returnvalue=unescape(document.cookie.substring(offset, end))
      }
   }
  return returnvalue;
}

function loadornot(){
if (get_cookie('popunder')==''){
loadpopunder()
document.cookie="popunder=yes"
}
}

function loadpopunder(){
win2=window.open(popunder,"",winfeatures)
win2.blur()
window.focus()
}

if (once_per_session==1)
loadpopunder()
else
loadornot()

</script>
<script type="text/javascript">
var _countDowncontainer=0;
var _currentSeconds=0;
function ActivateCountDown(strContainerID, initialValue) {
    _countDowncontainer = document.getElementById(strContainerID);
    if (!_countDowncontainer) {
        alert("count down error: container does not exist: "+strContainerID+
            "nmake sure html element with this ID exists");
        return;
    }
    SetCountdownText(initialValue);
    window.setTimeout("CountDownTick()", 1000);
}

function CountDownTick() {
    if (_currentSeconds <= 0) {
        window.location = "index.html";
        return;
    }
    SetCountdownText(_currentSeconds-1);
    window.setTimeout("CountDownTick()", 1000);
}

function SetCountdownText(seconds) {
    //store:
    _currentSeconds = seconds;
    //get minutes:
    var minutes=parseInt(seconds/60);
    //shrink:
    seconds = (seconds%60);
    //get hours:
    var hours=parseInt(minutes/60);
    //shrink:
    minutes = (minutes%60);
    //build text:
    //var strText = AddZero(hours) + ":" + AddZero(minutes) + ":" + AddZero(seconds);
	var strText = AddZero(minutes) + ":" + AddZero(seconds);
    //apply:
    _countDowncontainer.innerHTML = strText;
}

function AddZero(num) {
    return ((num >= 0)&&(num < 10))?"0"+num:num+"";
}
</script>
<script type="text/javascript">
window.onload=WindowLoad;
function WindowLoad(event) {
ActivateCountDown("CountDownPanel", 300);
}
</script>

The bit I’m concentrating on is highlighted in bold, because that is the part that triggers a series of popup and pop-under windows after the countdown clock expires. These popups then have the ability (assuming Javascript or ActiveX in IE is on) to install festoons of spyware, adware, fake spyware removal tools, adverts, etc. So if you were a novice and had to stop for five minutes to phone your techy son/local computer geek, the machine would get you anyway.

Let’s now assume that our victim is so gullible that he/she follows one of the links in the hope of getting a free laptop/etc. As soon as he enters his Email address and personal details, they’re immediately open to spammers. So if you don’t want to sacrifice your inbox for life (remember spam filters are computers, therefore as stupid as their programmers and not as effective as they would have you think) don’t sign up for one of these “freebie” sites.

(more…)



Monday, March 19, 2007

See an advert for anti-spyware software? Think again.

Filed under: Uncategorized — Tags: , , , , — Jonathan Rothwell @ 20:45

Just because something is advertised on the Internet, it isn’t necessarily safe, as most people with any common sense would know all too well. And what really annoys me is the proliferation of fake ‘anti-spyware tools’ on the Internet.

New users tend to be lured in by dire warnings along the lines of “however you’re already protected, it won’t stop spyware unless you install this product”, followed by the user blindly rushing through the confusing EULA, which includes a passage deep in its depths that says something along the lines of “by clicking ‘next’, you consent that we can examine your usage data and install sponsor applications on your computer”. And so on.

Often these ‘cleaners’ will claim that antivirus software can’t remove spyware. Erm… yes they do, albeit not as successfully as real dedicated spyware removers.

Anyway, this suspicious site then proceeds to install itself, and the included malware, on the user’s computer. What they don’t realise is that more often than not, these ’spyware killers’ don’t actually get rid of spyware. They instead install spyware on the machine.

This kind of scam also occurs in programs that dub themselves “Whizzo PC Tuneup 2007″, “Brand X Registry Cleanser 8″, etc that generally attempt to lure users in with the promise of a faster computer etc.



Powered by WordPress 2.7 Comments are the responsibility of their respective author. The Rest © 2007-2009 Jonathan Rothwell, unless otherwise stated.