d4rkr1d3r's Computer Security Blog

Visit Hacking4All.com!

2008-08-24T03:44:00.002+01:00

I have a new site: http://hacking4all.com !
The domain is going to be turned into a computer security forum.
It's still a work in progress but if you have the time, check it out, it'll be worth it!

'Google Bot' to blame for recent mass hacks

2008-06-04T10:35:00.012+01:00

Mass hacks have become increasingly prevelent over the past year. However, despite the large number of recent mass hacks, each attack appears almost identical to the other.
For example, all appear to have originated from China (examples of which are the 'Super Bowel' incident and March's 'dota11' attacks), employ 'SQL injection' and they all use 'GoogleBot'[1] to their advantage...

A few months ago I blogged about 'Google Hacking', a relatively new trend in the hacking community that utilises the popular search engine 'Google'[2] to locate vulnerabilities in websites indexed by 'Google's crawler bot: 'GoogleBot'.

This is generally done with the aid of automated search tools that make precise queries ("dorks") to 'Google'. This is what the Chinese hackers in question have been using to locate and exploit their targets. This however, was what the computer security community assumed but could not be sure of.. Until the 'SANS Internet Storm Center'[3] extracted the actual executable used in the 'dota11' attack from within the exploit coding of an infected domain (for an exact description of the application and it's functions, visit http://isc.sans.org/diary.html?storyid=4294)

As you can see from the image above, the executable is an automated 'Google Hacker' much like the 'Goolag' application released by 'Cult Dead Cow' ('cDc') last year.

It seems that we can expect to see significantly more 'Google Hacking' in the future especially in the instance of mass hacks.

[1]: http://www.google.com/support/webmasters/bin/topic.py?topic=8843

[2]: http://www.google.com/

[3]: http://isc.sans.org/diary.html?storyid=4294

I'm back

2008-06-04T10:25:00.003+01:00

I've decided to get back to writing blog articles when I have the time. Sorry all for the brief hiatus but I have been fairly busy recently and simply haven't been able to access time needed for a blog.

I'll be posting a new computer security at least once a week.

'Storm worm' creators loose track of time

2008-04-10T00:38:00.005+01:00

It seems the creators of the 'Storm Worm' have started yet another Valentine's Day campaign.. This time in April.
E-mails have been spammed out with body text offering Valentine's Day e-cards and linking to abused 'Google Blogspot' pages. These pages are purely social engineering-based and require the user to download and run the 'Storm' executable, without the presence of exploits.

It seems 'Blogspot' is now a popular target for malware authors, as it has recently been utilised by spammers as a domain forwarding method, to distribute the 'Zlob' trojan, and now 'Storm'.
This may also represent yet another link between the 'RBN' ('Russian Business Network') and the 'Storm Worm', as the 'Zlob' trojan has been confirmed to be of definite 'RBN' origins.

The executables involved in this wave are 'love.exe' and 'withlove.exe' and both are hosted on fast-flux domains.

We do not know why the 'Storm' authors have decided to run a Valentine-based campaign this April and I doubt we ever will.

"April Fool's! You're infected with storm!"

2008-04-06T10:08:00.006+01:00

It seems while I was away in Italy (the past week), the 'Storm' worm has got up to it's old tricks, this time, in light of the recent 'April Fool's' day, a new e-mail spam campaign has been pushing storm.
Generally displaying the similar short body phrases such as "Happy April Fool's Day", the e-mails all contain numeric-IP http links leading to this page:

After 5 seconds, 'funny.exe' will commence downloading, the "click here" link downloads 'foolsday.exe' and clicking the image will download 'kickme.exe'.
Regardless of this, all are simply a new 'Storm' variant.

'Google Hacking' in detail

2008-03-23T19:06:00.005Z

A new trend in the hacking world: 'Google Hacking' enables individuals to locate vulnerabilities, harvest sensitive information and even acquire 'warez' simply via 'Google' search.
Recently made particularly popular by the 'grayhat'[1] hacking group: 'Cult Of The Dead Cow'[2] (or 'cDc', creators of the infamous 'Remote Access Tool': 'Black Orifice') and 'jonnyihackstuff'[3] ('JIHS'), 'Google hacking' is the utilisation of 'Google's syntax or it's individual language in order to locate security information via advanced 'Google' queries (or "dorks").

An example of a "dork" is as followed:

intitle:"index of admin"

The 'intitle:' phrase is used to ensure the query appears in the title of a web page and the inverted commas ensure that the phrase will appear in the search results.
As 'GoogleBot' crawls the web, indexing each page of a domain, it also indexes the 'admin' section of the domain. This "dork" enables users to search for and access indexed admin sections of domains.

Here is a more relevant example of how 'Google Hacking' can be employed when searching for and hacking vulnerable domains.

intext:"POWERED BY HIT JAMMER 1.0"

The 'intext' phrase ensures that the query will be located in the text of each resultant domain and the inverted commas ensure that the query will appear in each search result.

As follows is the description for this particular "dork" via 'JIHS'[4]:

"Hit Jammer is a Unix compatible script that allows you to manage the content and traffic exchange and make web changes, all without needing HTML. It is typicaly used by the underground sites on the Net who "pay for surfing ads" and advertise spam services or software. An attacker can find these sites by searching for the typical "powered by hit jammer !" frase on the bottom of the main page. Then if he changes the URL to www.target.com/admin/admin.php he is taken to the admin panel. Hit Jammer administrators are warned to protect this page with the .htaccess logon procedure, but many fail to do just that. In such cases, customer information like email addresses and passwords are in clear view of the attacker. Since human beings often use one simple password for many things this is a very dangerous practice."

As you can see, 'Google Hacking' can be an extremely powerful tool for simple 'whitehat' domain auditing or for 'blackhat' hacking.

The release of 'cDc's 'Goolag Scanner'[5], a program that searches domains for vulnerabilities using "dorks" has greatly increased the appeal for "Google Hacking" among the 'script kiddie' world and has been greatly enforced by 'JIHS' 'Google Hacking Database'[6].
It is certain that 'Google Hacking', due to 'Google's already immense popularity can be expected to be a prevalent factor in the world of computer security.

[1] : http://en.wikipedia.org/wiki/Grey_hat
[2] : cultdeadcow.com
[3] : http://johnny.ihackstuff.com/
[4] : http://johnny.ihackstuff.com/ghdb.php?function=detail&id=288
[5] : http://www.goolag.org/
[6] : johnny.ihackstuff.com/ghdb.php

Security companies reccomend disabling 'firewire'

2008-03-09T18:43:00.005Z

During the 'PacSec' security conference of 2004, Maximillian Dornsief demonstrated how an individual may gain access to a computers internal memory via physical access to it's 'firewire' port.
Simply by plugging in a modified 'iPod' or laptop to the computer's firewire port, an attacker can install malware, harvest encryption keys, unlock 'Windows' and thusly preform a number of other malicious activities.

Many people are not yet aware of this issue and though the vulnerability was demonstrated in 2004, a fix has not yet been generated for it and as a result of this, security experts are reccomending that users disable any generally unused or rarely used 'firewire' ports.
For users that wish to learn more about this issue, the 'PowerPoint' presentation Dornsief utilized during his speech can be downloaded from the 'PacSec' website[1].

[1] : http://www.pacsec.jp/psj04/psj04-dornseif-e.ppt

Symbian, meet Window's old friend: Extortionware

2008-03-05T21:23:00.006Z

Yesterday, 'McAfee Avert Labs' discovered yet another article of mobile technology-based malware, this time directed at 'Symbian 60 series' mobile phones. This one, as with the last, origionated from China and has been dubbed: 'SymbOS/Kaizha.A' by 'McAfee'.
The 'extortionware' displays a message, informing the user that if they do not send RMB 50 (approximately $7 in American currency) to the malware author, they will never regain use of their phone.

Image property of 'mobilab.unina.it'

The extortianware is also bundled with other multiple droppers, simply emphasizing the point that the distribution malware aimed at mobile-based technology is raising at an alarming rate.
Anti-virus applications are already beginning to become available for mobile-based technology and can be expected to be seen much more of in the future.
Who knows, prehaps 'Microsoft', 'Nokia' and other large mobile technology brands will begin shipping their products with anti-virus products installed.
One things for certain, the majourity of end-users are not even aware of any mobile-based threats out there and education is required as these sort of threats continue to become more prevelent.

"MonaRonaDona": A revolution in social engineering

2008-03-05T17:33:00.007Z

Recently, infections of the malware "MonaRonaDona" have been increasingly prevelent.
Once "MonaRonaDona" is installed on a user's system, it displays the following message:

"Hi, My name is MonaRonaDona. I am a virus
& I am here to Wreck your PC. If you
observe strange behaviour with your PC, like
program windows disappearing e.t.c, it's me
who is doing all this. I was created as a protest
against the Human Rights Violation
being observed throughout the world & the
very purpose of my existence is to remind
& stress the world to respect humainty."

Once active, "MonaRonaDona" attempts to terminate the following services:

Date And Time
Windows Task Manager
Registry Editor
Irfanview
Google Talk
Macromedia
Adobe
Microsoft Visual
Windows Media Player
Winamp
Microsoft Office
Microsoft Excel
Microsoft Word
Messenger

The 'Internet Explorer' title bar is also modified to contain text regarding "MonaRonaDona".

Immidiatly after infection however, this activity will not be present as the malware registers itself to run as 'Windows' boots. As a result of this, how "MonaRonaDona" actually infects computers is still unknown as users often cannot remember their actions prior to the infection.

However, this is where it gets interesting as due such actions as displaying a warning message once infected, actively terminating common 'Windows' processes and displaying messages in application's title bars, we are forced to ask ourselvs the simple question:

"Why does the malware author want "MonaRonaDona" to be noticed by the user to such an extent?"

The awnswer lies in a simple search for "MonaRonaDona" in one of today's popular search engines. This query will direct the user to a page similar to this one:

Or alternatively a 'Digg' (a popular content sharing domain) article or 'YouTube' video, all advertising the same product:
"Unigray antivirus".

The article displayed in the image claims that "MonaRonaDona" can be fixed with the following legitimate applications:

'Kapersky'
'AVG'
and 'McAfee'

When in reality, only 'Kaspersky' has included "MonaRonaDona" in it's 'DATs' (as 'Trojan.Win32.Monagrey.a').
The article also claims that the best application that a user can use to fix the malware is called 'Unigray antivirus'.
'Unigray antivirus' is an application published on the web at the same time detections of "MonaRonaDona" began appearing.
Furthermore, when examined by 'Kaspersky Labs', the application was found to only detect (to a minimal standard) 19 different threats (including "MonaRonaDona") yet only removes one.. "MonaRonaDona".
When comparing the code of "MonaRonaDona" to that of 'Unigray', it is also noteable that there are many simularities.
Therefore, it extremely probable that the individual(s) behind "MonaRonaDona" are the same individual(s) that created "Unigray Antivirus".
It seems social engineering techniques are getting increasingly devious and manipulative and that fraudware/malware authors are gaining more insight into the psycology of their victims and can thusly be expected to be seen employing social engineering techniques as a venue for infection more regularly.

'Storm' returns to 'e-cards'

2008-03-05T17:16:00.005Z

It seems the 'Storm' worm has returned to it's previous attempts to distribute via fake 'e-cards'.
A large number of e-mails promising humerous 'e-cards' have been spammed around the globe.
The e-mails direct the user to a numeric 'IP' link to a domain hosted on 'Storm'-infected computers. The domain purports to be a well known legitimate 'e-card' distributing domain named 'funnypostcard.com' (the legitimate domain' s owners are in no way responsible for these attacks).
Once a user clicks the link, they are presented with a domain similar to this one:

Clicking on the "click here" text prompts the user to download 'e-card.exe', whereas clicking on the image directs the user to downlaod 'e-card.exe' and if the user remains inactive for 5 seconds, a download for 'ecard.exe' is automaticly activated.

'Phone Phreaks' (1950): Are hackers regressing?

2008-03-02T21:30:00.006Z

phreaking /freek'ing/ /n./ [from `phone phreak'] 1. The art and science of cracking the phone network (so as, for example, to make free long-distance calls). 2. By extension, security-cracking in any other context (especially, but not exclusively, on communications networks).

'Hacking' began in the 1950s as a hobby called 'Phone Phreaking' (well known for 'Captain Crunch' an individual able to gain access to free long distance phone calls simply by whistling down a phone using his free 'Captain Crunch' whistle). 'Phone Phreaks' were individuals who misused the extensive knowledge they possessed of phones and how phones functioned in order to gain access to free long distance calls and execute social engineering techniques on phone company staff. It was primarily a hobby to begin with but became significantly more serious as the 'FBI' and phone companies began to crack down on 'Phone Phreaks'.

Once the first 'PC' ('Personal Computer') 'Simon' was made available as a building kit with each issue of Edmund Berkeley's 'Radio Electronics' magazine (1950), 'Phone Phreaking' began to die out.
However, with the recent large rise in mobile technology-based malware, security researchers and hackers are beginning to once again return their focus to phones and other mobile technology. With the recent 'DDoS' ('Distributed Denial Of Service') vulnerability discovered in the 'iphone' recieveing so much press, 'McAfee's discovery of 'WinCE/InfoJack': a trojan for the PocketPC and the presentation at last week's 'Black Hat' conference regarding the exploitation of 'VoIP' for malicious uses, it seems that phone-based security threats are definantly growing and can be expected to be an important security topic in the future.

Misuse of 'GoogleBot'

2008-02-26T21:30:00.005Z

The alteration of a user's 'user agent string' can provide an individual the ability to discuise themselvs as any internet-based entity they wish.
It has become a recent trend for end-users to duiscise themselvs as the 'GoogleBot', a bot that crawls domains searching for content to be displayed on the popular search engine: 'Google'.
Normally this would not be an issue. However, some domains are configured to allow 'GoogleBot' full access and higher privilaged rights than the average guest user.
For instance: A user discuised as 'GoogleBot' may be free to enter a registration-based forum or domain without the proper credentials to do so due to the domain's settings allowing 'GoogleBot' full access.
This practice is called 'user agent switching' and has been made popular by the 'Mozilla Firefox' add-on: 'User Agent Switcher'[1].
This adds further emphasis to the question "how much trouble can 'Mozilla Firefox' add-ons really cause for companies". With add-ons such as 'AdBlockPlus'[2] (a 'FireFox' add-on intended to block advertisments from user's browsers), some domain registrants are even attempting to make a point by completely blocking[3] 'FireFox' users from their sites.
Will this 'FireFox'-hating trend catch on with domain registrants?
Who knows, but it seems 'FireFox' already posesses an almost cult following that is unlikely to be phased by any attempt to dispuit the browser's success.

For more information on 'user agent switching', visit 'whatsmyuseragent'[4].

[1] : https://addons.mozilla.org/en-US/firefox/addon/59
[2] : http://adblockplus.org/en/
[3] : http://www.firefoxfacts.com/2007/08/21/anti-firefox-loons-go-off-deep-end/
[4] : http://whatsmyuseragent.com/

Canada Botnet Arrests

2008-02-25T09:59:00.002Z

On Febuary 20th, 17 individuals between the ages 17-26, all male except for one 19-year-old woman were apprehended on alleged charges of cyber-crime and profiting from the utilisation of cyber-crime via botnets.
The Canadian hacking network arrested have been thought to have caused up to $45 Million in damages and gained control of over a millian computers during their period as cyber-criminals.
The network had been under investigation for 2 years and the overall maximum sentence for the charges is 10 years in jail signifying quite a commendable bust for the Quebec police force.
Cyber-crime in Canada has been fairly prevelent recently and it is good to see cyber-criminals being actively apprehended for their crimes as hopefully others will follow or at least take heed.
More information on the arrests can be located on the 'canada.com' news network[1].

[1] : http://www.canada.com/calgaryherald/news/story.html?id=f0f6138c-0bd7-4061-bb8e-be7d6d4b654d

Linux Kernel 'vmsplice' Exploit

2008-02-21T11:59:00.006Z

'CVE-2008-0600', a vulnerability in Linux kernels Versions 2.6.17 to 2.6.24.1 has recently been made public via 'Milw0rm.com' (A popular exploit and vulnerability archive domain established by the well known hacktivists: 'Milw0rm').
The bug allows a local user to gain root privileges. Reports also claim that this exploit is currently being utilised in the wild.
The vulnerability is present in the 'get_iovec_page_array' function (fs/splice.c, line numbers from 2.6.23.1-42.fc8 kernel - available via the vmsplice() system function).
More information on how to patch the vulnerability can be located on 'KernelTrap'[1].

[1] : http://kerneltrap.org/Linux/Patching_CVE-2008-0600_Local_Root_Exploit

DoS vulnerability discovered in iPhone

2008-02-20T23:37:00.007Z

Many security researchers in 2007 predicted a rise in 'Symbian' and mobile-based security threats in 2008. As a result, researchers are now beginning to direct attention towards mobile technology in order to identify and prove the existence and concept in the rise of such threats.
While attempting to locate a method to unlock the filesystem on 'iPhones' running on the 1.1.3 firmware, researchers noticed vulnerability in the 'iPhone's 'Mobile Safari' that can be exploited to trigger a 'DoS' ('Denial Of Service') attack.
The researchers created a proof of concept web page where a user can trigger the exploitation of the vulnerability by clicking a 'Go!' button.

Once clicked, a pop up is created which then runs the exploit code.

The 'iPhone' is then rendered completely unresponsive until the system reboots under a minute later.
The bug, partially based on a 'Javascript' code origionating from the 'Month of Browser Bugs' ('MOBB'), can only be prevented prior to patching, by disabling 'JavaScript' (Home > Settings > Safari).

Is your secret admirer a botnet?

2008-02-14T01:04:00.004Z

On Monday evening, a vast number of new 'Storm' variants were spammed out. It seems these variants were (due to a new compiler utilised by the creator[s]) almost completely undetected by anti-malware vendors.
The link in the e-mail directs the user to a domain displaying a rather festive "Valentines Day Bingo" image.

The domain then prompts the user to download/run an executable named 'valentine.exe'.

Once ran, the 'Storm' worm is free to wreak it's general havok.

Infected in a flash!

2008-02-09T19:29:00.002Z

A new trojan downloader is currently being distributed via fake 'Macromedia Flash' downloads.
Yesterday at 07:06:40 AM, my honeypot e-mail recieved spam from the spoofed address:
'accounts@passport.com'.
The e-mail's content was as follows:

"tudo bem? eu esqueci de mandar as fotos! agora tá ai!!

Beijao meu amor

anexo: Baixa fotos.jpg (192 kb)"

Roughly translated into english:

"all good? I forgot to order the photos! now ok! Beijao my love attached: Low fotos.jpg (192 kb)"

Once the link is clicked, they are directed to the domain: 'http://aualjbdp[REMOVED]3.com.sapo.pt/Macromedia_flash_install.html' which attempts to infect them with a trojan downloader via 'ActiveX' and social engineering techniques.

This blog is the first resource on the internet to mention this particular variant as it seems to be relatively new. As a result, all detections from anti-malware applications (10/32 - 'VirusTotal') are simply based on heuristics:

"AhnLab-V3	2008.2.6.10	2008.02.05	-
AntiVir	7.6.0.62	2008.02.08	TR/Crypt.CFI.Gen
Authentium	4.93.8	2008.02.08	-
Avast	4.7.1098.0	2008.02.08	-
AVG	7.5.0.516	2008.02.09	-
BitDefender	7.2	2008.02.09	Trojan.Downloader.Banload.NVX
CAT-QuickHeal	None	2008.02.08	-
ClamAV	0.92	2008.02.09	-
DrWeb	4.44.0.09170	2008.02.09	-
eSafe	7.0.15.0	2008.01.28	suspicious Trojan/Worm
eTrust-Vet	31.3.5522	2008.02.08	-
Ewido	4.0	2008.02.09	-
FileAdvisor	1	2008.02.09	-
Fortinet	3.14.0.0	2008.02.09	-
F-Prot	4.4.2.54	2008.02.08	-
F-Secure	6.70.13260.0	2008.02.09	W32/Downloader
Ikarus	T3.1.1.20	2008.02.09	BehavesLikeTrojan.UserStartup
Kaspersky	7.0.0.125	2008.02.09	Heur.Downloader
McAfee	5226	2008.02.08	-
Microsoft	1.3204	2008.02.09	-
NOD32v2	2861	2008.02.09	-
Norman	5.80.02	2008.02.08	W32/Downloader
Panda	9.0.0.4	2008.02.09	Suspicious file
Prevx1	V2	2008.02.09	-
Rising	20.29.22.00	2008.01.30	-
Sophos	4.26.0	2008.02.09	Mal/Behav-130
Sunbelt	2.2.907.0	2008.02.09	-
Symantec	10	2008.02.09	-
TheHacker	6.2.9.213	2008.02.09	-
VBA32	3.12.6.0	2008.02.09	-
VirusBuster	4.3.26:9	2008.02.09	-
Webwasher-Gateway	6.6.2	2008.02.09	Trojan.Crypt.CFI.Gen"

The trojan downloader is of Portuguese origin and connects to several domains such as 'box[DOT]net' (a legitimate file storage domain) in order to download further malware (q25qp1hyc0.exe - A trojan downloader), 'smtps[DOT]uol[DOT]com.br' (200.221.4.131) and also attempts to connect to 'r0xlink3d[DOT]net ', a domain that is currently not responding.

It also attempts to send a blank e-mail to 'inforte34@gmail[DOT]com' with the subject: '[VICTIM'S E-MAIL] o - USER', as a notification of infection.

I have also located a server with three previous veriants on, suggesting there may be more to come..

More 'IRS' 'Phishing'...

2008-02-06T21:28:00.002Z

U.S. Internal Revenue Service ('IRS') 'phishing' scams have been extremely prevalent recently, with e-mails containing the scam being mass 'spammed' to thousands of captured e-mail addresses.

The newest version of this scam arrives in the form of an e-mail notification via a spoofed 'IRS' address ('under-forms@irs.co.us') claiming that there has been a mistake in the calculation of the recipent's fiscal activity over the last year and they are in fact eligible for a tax refund of $375.20.
The e-mail then links to a form requesting the victim’s name, social security number, credit card details, 'CVC/CVV2' and ATM pin number.

The 'phish' has been hosted on a compromised U.S. Halloween and movie props-based domain. This is yet another example of the increasing prevalence of compromised legitimate domains currently being favored by 'cyber-criminals' over their own malicious domains.

10,000 legitimate domains and a 'Linux' rootkit..

2008-02-03T17:44:00.001Z

Over 10,000 legitimate domains such as 'teagames[DOT]com' and 'Berkly University's website have been found to be serving malicious code to their customers.
The attack occurs via a 'Javascript' written to preform diagnostics on the target PC in order to detect which exploit (from a list of 12 patched exploits in various applications including 'Yahoo Messenger' and 'QuickTime') in order to download a trojan onto the PC via 'drive-by-download'. Once downloaded the trojan connects the PC to a 'botnet', giving the 'botnet' author full control over the user's PC.
However, the primary question is of coarse the matter of how so many highly regarded legitimate domains became compromised.
Now here's where it gets interesting. It appears that all the web servers currently being hacked into are all 'Linux ' servers (predominantly running on 'Santos' 4/5, 'Fedora Core' or 'RedHat Enterprise', utilizing 'PHP', 'Apache' and some form of web control panel such as the popular 'cPanel' - meaning the intrusion method being employed by the hackers may well be via a security hole in any of these).
While we may not know how these hackers are gaining 'root' access, we do know they are gaining an immediate 'root SSH' connection, meaning that either a password file was harvested or that an exploit was utilized. Once 'root' has been gained, they install an extremely effective 'Linux kernel rootkit' and then their own 'HTTP' server. Once the server is installed, they wait until a user visits your domain and harvest the reply that visit generated prior to it reaching the 'Linux' servers 'TCP/IP stack' and injects their own malicious code into it and sends it off to the visitor.
This extremely devious and effective method of domain infection is both interesting and chilling.
'Linux' server users are encouraged to 'patch', utilize 'IDS' and 'firewalls' in order to aid the defense of their servers, but should also remember that as we are still currently unaware as to how these infections are occurring, this will not necessarily ensure complete protection.

'RBN' rogue security applications on Macs? What's next?'

2008-02-01T18:57:00.004Z

It seems organised crime aimed at the 'Mac' platform has been revolutionized with the creation of the first rogue security application aimed at Macs.

The application, 'MacSweeper' ('macsweeper[DOT]com') claims to be "an easy-to-use but powerful application that has the ability to improve your system performance" as well as preventing users from "being spied on and caught with inapropriate files on your computer".

However, it seems, as with it's clone aimed at the 'Windows' platform: 'CLEANATOR' ('cleanator.com), has no helpful functionallity and simply detects fake threats in an attempt to goad users into purchasing the software (as with the majourity of rogue security applications).
Another interesting factor is that of the reply 'F-Secure' recieved[1] after sending an e-mail notification to 'MacSweeper's support address ('support@macsweeper[DOT]com') which was as follows:

"I would like to explain all the situation, about MacSweeper.

We are really trying to make a good software, and you wont find any viruses/spyware/trojans/malware in MacSweeper (test it your self, if you don't believe me, you can use any type of firewalls, dissemblers, or other tools) .

The problem is that we are using selling partners that forces us to use this marketing type. We would like to leave them, we don't want to completely destroy Good Name of MacSweeper application.

Personally I adore Mac Platform, and it hearts to here that the program you wrote is said to be some kind of "Rogue application" , i wouldn't like to destroy good manners of software written for it :((

I would like to say sorry for all inconveniences that we could bring to you, but believe MacSweeper is meant to be a useful application. You can ask Questions, and i will try to answer them!

Thank You!
support@macsweeper.com"

('F-Secure' made several blog posts regarding 'MacSweeper'[1][2] including a 'YouTube' video[3].)

I myself, have noticed possible links with 'SpyShredder' and 'IEDefender'/'Files-Secure' due to use of identical images and text, backed up by their justification of their rogue software being extremely simlar to that in the case of 'IEDefender' who posted an attempted justification of their actions on 'CastleCops' forum.

As I previously noticed that 'IEDefender' may have been linked to 'SpyFalcon' and 'MalwareAlarm' (due to use of identical images and text), two domains that are owned by and maintained by the 'RBN' ('Russian Business Network'), does this indicate that the 'RBN' are now (on top of creating trojans for macs - 'OSX/DNSChanger') also beginning to aim their rogue security applications at 'Macs'?
Who knows? But one thing we can all be sure of is that malware and fraudware production aimed at 'Macs' is only going to get broader.
This is going to be a bad year for 'Mac' users.

[1] : http://www.f-secure.com/weblog/archives/00001365.html
[2] : http://www.f-secure.com/weblog/archives/00001362.html
[3] : http://www.youtube.com/watch?v=E4KWjqb8mEQ

Are 'Mac' Users Safe?

2008-01-28T20:18:00.001Z

For my first post, I feel it is necessary to address the issue of the majority of the 'Apple Mac' user community's almost impermeable attitude towards malware.
The big question is:
"Are 'Mac's safe from malware and other internet-based threats?"
Bear in mind that 'Apple's new operating System: 'Leopard's default security settings actually turn off the firewall by default. Does this mean that even 'Apple' think they are impenetrable to malware?
Well, as I assume most of you know: No, they are not. The reason for the simplicity of my answer is simply that (as many of you may be aware) there has already been malware produced that is built primarily to and can infect Macs.
Aside from all the old 'script kiddie' malware affecting machines running on previous versions 'Apple's OS', the first majour incident of malware infecting Macs running OS X was 'OSX/Leap.A' (as named by 'Symantec'). 'OSX/Leap.A is a parasitic worm that possesses the ability to spread via 'Apple's 'iChat'. The worm first appeared on a popular 'Apple' community domain, advertising itself as images of 'Apple's new OS: 'Leopard' under the filename 'latestpics.gz' . The worm appears to have primarily 'spyware' characteristics, monitoring the user's most used application and sending such data off to remote locations.

The second article of malware to affect the 'OS X' operating system, was dubbed as 'OSX/DNSChanger' by 'F-Secure'. Created by the infamous Russian crime syndicate: the 'RBN', 'OSX/DNSChanger' is a simplified clone of the 'RBN's previous highly successful trojan: 'trojan.zlob'. 'OSX/DNSChanger' modifies the machines default 'Domain Name Server' ('DNS') in order to redirect traffic to advertising domains located in Ukraine. The trojan is currently distributed via pornographic domains as well as domains already created by the 'RBN' with intent to distribute 'trojan.zlob' such as 'dvdaccess[DOT]net' and requires the user to actually download and install it.
The trojan even displays a mock 'EULA' ('End-User License Agreement') which simply illustrates the focus of social engineering present in the creation and distribution.
However, due to 'Mac's default security settings, users are required to enter their username and password prior to the instillation of the trojan. Many users may think that this will significantly cripple the distribution of the trojan. However, if this was true, why would the 'RBN' be so intent to create yet more variants (currently 'OSX/DNSChanger.PK')
Seems people will do anything for porn.

Welcome

2008-01-28T18:12:00.000Z

Welcome to my blog.
I have been meaning to make a blog for some time and now that I hav finally got around to it, I have decided to compose it around the topic of PC security, primarily 'malware' and internet-based scams.

'Malware' is the collective term of malicious coding. This incorporates spyware, viruses, adware, worms and trojans.

In this instance, scams will refer primarily to aspects of 'social engineering' (the term used to depict the goading of an individual to preform an action they would not usually). An example of such scams is 'phishing' which refers to the harvesting of bank details and other such personal information via acts of social engineering. An example of phishing may be a clone of a bank's login page where the user may enter their bank credentials in order to preform a transaction. However, when the user enters their credentials into a clone of the bank's login page, they are simply e-mailed to the 'phisher' who is free to do with them as he wishes.