Jan 29 2016

FTC Announces Enhancements to IdentityTheft.gov

Original release date: January 29, 2016

The Federal Trade Commission (FTC) has upgraded its IdentityTheft.gov site to provide improved help to victims of identity theft. Enhancements include more personalized response plans for consumers, automatic generation of documents to aid in recovery, and better integration of the site with the FTC's consumer complaint system. Resources are also available for those who want to avoid becoming victims of identity theft.

Consumers are encouraged to visit FTC's IdentityTheft.gov site and review US-CERT's tip on Preventing and Responding to Identity Theft for more information.


This product is provided subject to this Notification and this Privacy & Use policy.


Jan 29 2016

hping3 – TCP/IP Packet Assembler & Analyser

hping is a command-line oriented TCP/IP packet assembler/analyser. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features. While hping was...

Read the full post at darknet.org.uk
Jan 29 2016

HSBC online banking suffers major outage, blames DDoS attack

(credit: Still from HSBC TV ad)

HSBC has been battling an apparent Distributed Denial of Service (DDoS) attack on its online banking system for the past few hours.

Many customers have been struggling to access HSBC online—via the bank's app or website—all morning.

HSBC blamed the outage on a DDoS attack, and attempted to spin the whole thing as a success story to mainstream news outlets. By way of example, witness this headline over at ITV News.

Read 4 remaining paragraphs | Comments

Jan 28 2016

File-Hosting Site Turns Your File Into Adware

This post was written by Oliver Devane and Mohinder Gill of Intel Security.

We recently received a sample from a customer and upon initial analysis it looked like a bundled software installer. Upon execution, the installer launches a website and then attempts to download an executable—an installer for FLV Player. Nothing out of the ordinary, but what grabbed our attention was the website that had loaded after execution. It appeared to be a “Thanks for installing” page but the domain name looked odd.

fake landing

We navigated to the top level of this site and found several subsites.

 

fake_landing

Clicking through these, we found all of them to be fake pages that show users an advertisement to entice them to install another piece of software. This tactic is common with installers for potentially unwanted programs (PUPs), but it is uncommon for one website to have several fake pages.

The common thread is that they all show ads from castplatform.com. A copy of the script used on these pages follows:

ad_scripts

Some of the pages we found were fake landing pages for common applications including:

  • VLC Player
  • CamStudio
  • FreeRideGames
  • FileHippoMineCraft Projects
  • Brothersoft

We decided to dive deeper and try to find the source of this installer.

This is usually the tricky part when dealing with PUPs due to the different techniques used by the authors. Most PUPs include no company or owner information, no homepage, come only in bundles, and require certain switches for the installer to work.

Our first step was to see if we could find other files that connected to these fake landing pages. We soon discovered thousands of these; they all showed similar behavior.

Once we gathered all the samples we knew our best shot was to get a list of all the domains that were contacted. The logic behind this was to look at the list and see if there was a common domain that appeared more frequently than others. It was likely this domain hosted the files.

We found a few common websites that the installers contacted, so we began to go through them. A couple stood out; these were file upload sites. We assumed these file upload sites bundled the uploaded files with a new installer.

The two sites that gained most of our attention were File-space.org and 100lm.ru. File-space.org made it clear that it was about monetizing.

filespace_2501

Here is a snippet from the FAQ page:

 

filespace_eula1

Here is how much its users can make:

 

sendspace_tarrif

It works out between £8 and £16 per one thousand downloads.

From reading the FAQ, we seemed to be on the right track. So we signed up to the website and uploaded a file. We then downloaded the uploaded file and found that it was indeed bundled with other applications. However, the behavior was not the same as our customer’s file. So our search continued for the source of our sample.

Our attention now went to 100lm.ru. This website had no detailed FAQ/EULA/Tariff page and no mention of monetization.

100lm.ru

What we instantly noticed was a catalog page.

correct_pupsite

Any file that anyone uploads to the site appears on this list. This means that anyone can download files anyone else uploads, even those rated “not so secure.” Regardless, we came here to find the source of our PUP installer.

We chose one file to download. As you can see from the following image, this file had been downloaded more than one thousand times.

100lm.ru

We replicated the file and found the behavior to be exactly the same as our initial sample.

So we downloaded a couple more of these files and we hit the jackpot. Every one we chose loaded the fake landing page. We checked the digital signature of the files and they all matched the one in the file we originally received.

digisig

Just to double-check, we uploaded our own file and downloaded it. The downloaded file was bundled with other software that loaded the fake landing page when executed.

What is different between the two upload sites is that 100lm.ru does not inform users that it is bundling; thus that site makes all the pay-per-install (PPI) revenue. This is extremely misleading. Even if a fake landing page was not loaded, this behavior would still warrant PUP detection.

Here is a flow of how this PUP spreads:

flow_2801

Our findings show that you have to be very careful when choosing a file-hosting website. We recommend that you use the most popular ones and do a simple check to see if the file you upload is the same as the one that you download.

A simple way to do this is to use the command-line tool FC.exe, which is available on every Windows system. It compares two files and will highlight any differences.

Usage: FC.exe “file1” “file2”

Malicious domains:

Detection for the malicious installer has been added as Adware-FakeLand and is covered in DAT Version 8055.

The post File-Hosting Site Turns Your File Into Adware appeared first on McAfee.