I quite like the Norton Safe Web service. I find it a lot more in depth than Site Advisor.

For example it shows you drive-by downloads with the type of exploit:

However, there is something that bothered me… Anybody (without age verification) can query their database.

They show a screenshot of the site you’re checking and well, sometimes you don’t want to see that stuff:

I mean, it’s not work safe.

Is it?

Jerome Segura

Paretologic released XoftSpySE Anti-Spyware 7.0, its famous Anti-Spyware product now compatible with Windows 7.

Continuing on a tradition of small and fast programs, this version is less than 4 MB to download.

I decided to take it for a ‘test drive’.

I loaded my Windows 7 PC and ran a bunch of malware samples.

Then I put XoftSpySE to the test and it found and removed all sorts of Trojans and Worms within a few minutes.

If you want to try the product to see if your PC is infected, you can run XoftSpySE for free.

Jerome Segura

This high-traffic site for artist Beyonce (beyonceworld.net) has been carefully hacked. I just got this alert from our HoneyPots.

Google does not list this site as dangerous at the time of writing:

The site contains an Adobe Exploit:

A file called annonce.pdf which is NOT detected by VirusTotal (at the time of writing) is opened:

How come none of the AV products picked up this PDF? It looked bad to me

Also, the site is flagged as benign by Wepawet. Full analysis here. For whatever reason, Wepawet fails  to detect the iframe.

However, beyonceworld.net does indeed contain a hidden iframe:

The domain online-counter.cn is well known for hosting malware. Our friends from malwareurl.com list it here.

Warning! Those sites are live and can infect your PC!

Jerome Segura

This rogue anti spyware (LinkSafeness) is particularly messy.

The scary warning:

Bad English

It creates these garbage files in my System folder:

$49.95 for that?

No thank you.

Jerome Segura

The site contains several exploits, in particular:

- Adobe Collab overflow
- Adobe util.printf overflow
- Adobe getIcon

They are located on  ul{sanitized}os.com/counter/pdf.php

These days, most compromised sites use Adobe exploits. Make sure your Adobe software is up-to-date to stay safe!

 Jerome Segura

I’m currently reading “The Johns: Sex for Sale and the Men Who Buy It” from Victor Malarek after having read “The Natashas: The New Global Sex Trade” from the same author.

The book draws a pretty sad but true picture of modern day sex slavery. Johns travel to poor countries in search of sex they can’t get at home.

Well, our HoneyPots caught this site promoting ‘Asian escort girls’:

Upon browsing the site, a malicious PDF gets pushed onto the user’s PC:

Now, how did this happen?

This Wepawet analysis reveals obfuscated code pointing to a malicious site (a Google Analytics typo):

The PDF is only detected by Kaspersky at the time of writing (VT analysis).

Looks like the Johns are getting owned this time.

Jerome Segura

Malware ID: example.zip

This is officially the first ITW (in the wild) Worm for the iPhone. It is affecting users that have ‘jailbroken‘ their device and still have the default password ‘alpine’.

The Worm dubbed sshgate by security company Intego has several variants, sshgate.d being the most annoying since it overwrites cydia , an app used by jailbroken iPhones.

Currently the Worm’s payload is to change the user’s wallpaper, but we could imagine a more destructive or invasive behaviour in the future.

Jailbreaking an iPhone is illegal and the numbers on how many iPhones have been hacked is not clear. Current mitigation would be changing the default password on the device.

For users that have already been infected, there is no Anti Virus software available as an app from the iPhone store. However, all is not lost, since the user can run a security solution such as Virus Barrier from their Mac while they plug in their Phone with the USB cord.

The iPhones are becoming more interesting of a target for malware authors, with already 7.3 million units sold in Q4 2009.

Jerome Segura

I’m trying to run a script with crontab so that it runs at a certain time. Nothing new here…

However, my script involves PGP and for some strange reason, PGP will not decrypt anything while in crontab (user-agent blablabla… and other bogus errors). The frustrating thing was that the script runs just fine if I manually run it.

Anyway, since crontab did not want to cooperate I decided to create my own scheduler. First you need a script that loops indefinitely, and then this piece of code will execute myscript.sh at 1 PM every day.

You create a variable and you assign it the current time. A little sed removes the colon (i.e. 13:00)

Then if the variable equals the time you manually preset, it’s a Go!

Hey, it may not be very pretty, but it saved me a lot of time!

It’s funny in our jobs how many times we’re stuck on something that just doesn’t make any sense. I usually try a quick way around which saves me hours.

Jerome Segura

Fake porn sites (real Trojan Horses), fake watches (real scams), password cracking (wallet cracking) : Welcome to the world of online crime!

All these sites were taken from the same IP address, namely 210.51.187.{sanitized}. I’m going to show you a wide portfolio of online threats and scams.

To start off, a fake porn site called Pornotube pushes some mailicious files onto your computer. There is the nice way (an EXE file) or the hard way (a malicious PDF).

The files are detected by most AV products:

http://www.virustotal.com/analisis/2b6cc5d84db7dd946ee8358ec2bf40435755ef9895e10c4fe13b513f8f8a255e-1257269784

http://www.virustotal.com/analisis/4d0fe75335c352ef7bb544e6b1eea9d1dd2d083a260292275be75580ce98efca-1257224665

Oh, and there’s the cousin website as well, with another PDF exploit ‘in-your-face’.  Those sites are nasty looking, but that’s another story.

Now, on to the fake watches. What better way than putting a bit of a Swiss flag in there too… Yes, the Swiss are known for their quaility products, and watches in particular. The first time I flew to Geneva, I was amazed by just how many ads and posters of watches were all throughout the airport. If you take a walk near lake Geneva (le Leman), you will see many old buildings with big signs on them, such as Omega, TAG Heuer etc. I stopped in front of a Cartier store to look at some of the watches, of course none of them had price tags on
You may get the feeling that I like watches hehe… I have a nice (although modest) Swiss Military watch.

Back to our story, here is a “replica” site… I personally would call it a “counterfeit” store, but it wouldn’t sound as nice, would it? They offer “Free shipping worldwide”, how convenient! I really hate counterfeit stuff. Recently I read an article about that industry in China and it really is an out of control problem.

Finally, a page designed for those who want to hack the Russian version of Facebook (vkontakte.ru):

I had Google translate the Russian text for me:

Payment can be made through one of these institutions:

Anything else for you today?

Please note that ICQ hacks are on the ‘winter sale’:

Don’t forget to use the:

Jerome Segura

Warning: all links contained in this post may be dangerous!

We are doing some more testing and putting the final pieces together on our URL Clearing House project.

When will it be ready? I can’t say for sure yet. We need to add user accounts (don’t worry, the service will be free) for our own stats, put a Terms Of Service, do some security checks on the server etc..

In the meantime, we are aggregating data from our HoneyPots:

Query for Exploits:

Query for Trojan:

Anyway, I hope this will be a valuable source of information for all malware researchers.

Jerome Segura