Monthly Archives: April 2015

Antivirus Pro 2015

Antivirus Pro 2015 is a fake Antivirus tool. It is from the same rogue family as AntiVirus Plus 2014, Smart Security, Internet Security, Privacy Protection, Security Protection, Malware Protection, Spyware Protection, Advanced Security Tool 2010, Security Central, Home Personal Antivirus, XP Deluxe Protector, Win PC Antivirus, Win PC Defender, XP Police Antivirus, IE-Security, WinDefender 2009 and Total Secure 2009.

The rogue detects fake infections and prevents legit softwares execution, displaying alert messages to scare users.


A new option to stem the tide of nefarious Twitter images…

Smoothwall's team of intrepid web-wranglers have recently noticed a change in Twitter's behaviour. Where once, it was impossible to differentiate the resources loaded from twimg.com, Twitter now includes some handy sub-domains so we can differentiate the optional user-uploaded images from the CSS , buttons, etc.

This means it's possible to prevent twitter loading user-content images without doing HTTPS inspection - something that's a bit of a broad brush, but given the fairly hefty amount of adult content swilling around Twitter, it's far from being the worst idea!

Smoothwall users: Twitter images are considered "unmoderated image hosting" - if you had previously made some changes to unblock CSS and JS from twimg, you can probably remove those now.

Betabot retrospective

Some of you know Betabot.. if you don't: http://www.ic3.gov/media/2013/130918.aspx

1.0.2.5 panel:
Dashboard:

extended information:

Search options:

Tasks:

Remove bot:

Terminate bot till next reboot:

Botkill:
Socks4:
Set browser homepage:

Visit URL option:

Update bot option:
Download file option:
DDoS cmd option:

Formgrabber logs:

logins:

users:

Settings:
IP blacklist:


List of dns recod to modify:


Help:

1.5.0.0:

Tasks:

Statistics:

Files:

Users notice:

AV Checker:

1.7.0.1:

The botmaster was running a support site at the url betabot.ru that i've monitored since... i don't know almost the begining till the end.
I've really collected a lot of datas and was constantly flagging new C&C urls even before they was active.


Inquiries sent to the betabot team (before they started the support forum):

Site structure:

Some clients kits:

Finally some people got busted using these informations..
If you want an example.. 'Spit Fyre' ex super moderator at Trojanforge who reside in the same country as me.
If you wonder why he disappeared you know why now.

Spit Fyre requesting an admin of Hackyard to delete his account after he got cops at door:

Some of his domains:
• dns: 1 ›› ip: 124.248.205.104 - adress: DARKNESS.SU
• dns: 1 ›› ip: 124.248.205.104 - adress: WEED.SU
• dns: 1 ›› ip: 124.248.205.104 - adress: MEZIAMUSSUCEMAQUEUE.SU
• dns: 1 ›› ip: 124.248.205.104 - adress: UMBXD15896.SU
• dns: 1 ›› ip: 124.248.205.135 - adress: STYXB1TCH35.SU
• dns: 1 ›› ip: 124.248.205.135 - adress: J1NXFYR3.SU

Anyway it's useless to talk about him and others betabot clients who had visits, the current status of betabot is stalled now and someone even made a builder for the 1.7.0.1 version.
Betabot was a creative malware, plagued by bugs though.

Community news and analysis: March 2015

Featured news

Google cracks down on Chrome extensions that inject ads and degrade users’ browsing experiences (31 March). Google also added information about unwanted software to their Safe Browsing API last month (24 March).

Automattic: Five ways to secure WordPress plugins (27 March), preventing cross-site scripting in JavaScript (25 March), and a blind SQL injection vulnerability found in Yoast’s popular WordPress SEO plugin (13 March).

Three cheers for open information: Check out DreamHost’s first ever Transparency Report!

Malware news

ESET analyses “Casper” malware used against Syrian targets and likely developed by the same group behind the Babar and Bunny malware (5 March).

SiteLock demonstrates what it looks like to infect a website (19 March).

Sophos on the new TeslaCrypt ransomware targeting gamers running Windows (16 March) and developments in Microsoft Office malware (6 March).

A couple pieces of interesting Sucuri analysis: WordPress malware causes pseudo-DarkLeech infection (26 March); ‘inverted WordPress Trojan’ adds useful features along with malware (11 March).

Other security news

Mozilla on memory scanning for server security (12 March) and revoking trust in one CNNIC intermediate certificate (23 March).

Qualys: GHOST remote code execution exploit (17 March).

Fortinet: Cross-site scripting vulnerability discovered in WordPress Photo Gallery plugin with 12 million downloads (20 March).

Cyber scams that target senior citizens in India


A senior citizen’s primary gadget is a mobile phone which in earlier years was used to make/ receive calls and SMSes. With rising Internet penetration, children living in different cities and countries, video calls and rising costs; senior citizens have begun to use alternate communication channels like Whatsapp and Skype. Senior citizens have become easy targets for cybercriminals given their trusting nature and poor understanding on how voice and data services work.  Cybercriminals and Spammers target these four types of communication channels (voice, instant messaging, SMS and internet telephony) to defraud senior citizens. The three most prevalent types of scams are:

Missed Call or One Ring Telephone Scams

The most popular one is the “missed call” scam. A missed call from an international number is made to a senior citizen’s phone. When the senior citizen calls back, the call is connected to a premium rate number where the bill rates are significantly higher as there is a third party service charge for these services added to the bill. Senior citizens end up with large postpaid bills or find their prepaid credit wiped out. The modus operandi of these missed call scams is to ensure that once a call back is received, the caller is kept on the line for several minutes. The longer the duration the more money the scammer makes. To do so, either the caller is looped in an interactive voice response system which tells the caller to wait while the call is connected or the caller is connected to a recorded adult phone message. One senior citizen was so perturbed that she wanted to call the police because she heard a woman being beaten and screaming for help. Fortunately for her, she had limited prepaid credit and the call ran out. Many senior citizens become anxious and literarily rush to their telecommunication service provider only to receive a stoic response that they are not responsible for any calls made or received. To resolve their excess charge they are advised to take up the matter with the third party service provider, usually a dubious adult chat firm in a third world country. For the small sum of money lost, the cost of this pursuit would make it an unviable option with no guarantee of refunds.

Senior citizens can protect themselves by:

1.    Restricting outbound international calling,  if there is no necessity to make overseas call

2.    Ignore short duration missed calls from international destinations

3.    Checking the international dial code for missed numbers before returning the call. If the number originates from a country where they do not expect a call from, then it would be best not to return them

Lottery Type Scams 

In fake lottery scams, senior citizens receive SMSes or Whatsapp messages congratulating them on having won a “big lottery” and asking them to quickly claim their money.  One senior citizens though this was a valid claim because “it was not classified as spam” by the service provider. 40% of spam is not blocked by spam filters and spam filters only help but do not guarantee that a communication is legitimate. Once a request for redeeming the claim is made these scams always ask for either personal information or the payment of an advance fee, which when paid is either followed by a further request for money and the eventual disappearance act by the scamster.

 Senior citizens must not share personal data online and always avoid requests made for money to process a lottery win or to release a parcel, or to send a free gift as these are sure signs of fraudulent behavior. Senior citizens should also consult knowledgeable family members or friends before responding.

Disclosure of Personal Information

Extracting personal information which can later be sold or used to access online back accounts is another type of scam. Scammers pose as officials in position of authority (banks, police, and income tax) or as sellers of credits cards/personal loans using these “roles” to exert sufficient pressure to extract personal and financial data.

Senior citizens should always remember that however convincing the callers are information like bank accounts, financial records and passwords are never sought by authorities or banks.

“Fancybox for WordPress Has Expired” Infection

Today I began to notice quite a massive and very unusual attack that leverages vulnerabilities in older versions of the FancyBox for WordPress plugin.

As you might know, versions 3.0.2 and older of this plugin allowed anyone to craft special POST requests to /wp-admin/admin-post.php or /wp-admin/admin-ajax.php and change values of specific plugin options in WordPress database. The plugin uses the modified options to build its own JavaScript code. As a result, the malicious content gets injected into generated WordPress pages.

A typical malicious injection looks like this:

Fancybox infection

Such attacks use the documented exploit code to inject malicious code into the “padding” value.

The exploited vulnerability had been fixed on February 4th. Nonetheless, many blogs failed to update the plugin and hackers routinely find such blogs and infect them.

The today’s attack also uses this exploit and modifies the “padding” value, but the code it injects cannot be called malicious:

Fancybox expired warning

When visitors load such “infected” pages, they see this warning:

WARNING: This version of the Fancybox for WordPress plugin has expired!
Please upgrade to the latest version!

And when they click on the “OK” button, they automatically get redirected to the Fancybox for WordPress changelog page in the official WordPress plugin repository.

On one hand, this infection makes blogs unusable since it redirects visitors to WordPress plugin repository before they can read anything. On the other hand, it is very hard to ignore such a warning — if site owners want people to visit their sites they have to upgrade (or remove) the vulnerable version of the plugin ASAP.

Now is the time to check if your blog shows such warnings. If you don’t see them, it’s not a reason to relax and wait for such a hard push to upgrade. Make sure all your themes and plugins are up-to-date now.