The Joomla Extension Directory Finally Moves Off of Joomla 1.5

When it comes to the security of websites what we see is that basic security measures are often not taken and unfortunately all too often those measures are not being taken by those who should know better and have the ability to make it easier to accomplish them. Take for instance the Joomla, until yesterday the Extension Directory portion of their website, an important section of the website, was still running Joomla 1.5:


That is despite the fact that support for that version ended back in September of 2012. It obviously doesn’t look good when the developers of software can’t even keep on a supported release of their own software.

Thankfully, the Extension Directory has now been moved to Joomla 3.3:


Unfortunately it doesn’t appear that even their inability to get off of Joomla 1.5 for so long has lead them to provide anything to make it easier to move off that version, which many others still remain on.

InstallCube: How Russian Programmers Turn Adware Into Cash

We often observe applications bundled with ad-displaying programs to generate revenue for those products. These are not necessarily unethical, but some of them try to make easy money by deceiving users. McAfee categorizes such apps as potentially unwanted program (PUPs). Here’s a look at a recently discovered Russian-based campaign that is very well organized.

We can summarize the flow of campaign with this flowchart:


We came across one of the many sites that are part of this campaign. This site promises to give users pirated keys for various antimalware software so that they can use AV products for free.


Wrapped website.


Wrapped RAR file download button.


The keys are offered in a RAR file that is available on the site. However, we found this to be an adware executable with the name sample.rar.exe, which has a RAR icon to misguide users into thinking the file is an archive instead of an executable. One click by the user, and the adware is executed.


Icon resource of executable posing as a RAR file.

After executing, the sample first reports a confirmation to the back-end server of InstallCube ( with a unique load ID. The load ID comes from an algorithm that generates a number from the composition of range 0-9 and a-f. Each character of the key is generated using a different algorithm.


Fragment of algorithm to generate the key.


Generated post key.

This unique count helps determine how far the ads spread and eventually is converted to cash.

After loading the execution stat, the executable opens a page in Internet Explorer that has a big green download button and small download link. If the button is clicked, it will lead to two possible downloads: Either a big file (10MB-20MB) or a small executable (less than 1.5MB), which is the ad-producing software. Refreshing the same link will lead to various files being downloaded.


Bundle download button.

The big file is Trash.exe and pretty much justifies its name. This is a simple application made in Visual C++ and its only function is to display a dialogue reading “Trash Project, Version 1.0.” The likely use for such a big file is to create traffic to certain sites.


Trash.exe file.

In the following chart we can see the conversion of ads into cash:




The money flow.

We tried to register our account on InstallCube, which promised us that our software would be wrapped in a packer and installed to a number of users. However, to start the campaign they demanded at least 2000 rubles.



Installcube demanding payment from advertisers.

If the webmasters host only the deceptive adware and not useful files, traffic to their sites will decline because of unsatisfied customers. In this following chart we see this issue addressed by a webmaster, demonstrating the drop in traffic after the adware was hosted on his site.



Graph showing amount of views (blue) and visitors (green).

As a result, sites host the adware for a only short time, and periodically remove it so that the reputation of the site remains good. The adware executables on this site are also briefly hosted and are frequently replaced by useful files.

InstallCube is not the only organization profiting from this campaign. The webmasters who host misleading software are also making quick money by using InstallCube. In the following Russian blog we found a discussion among webmasters about how to use this software to make money.



Showing ads is not always bad behavior, but in this case two breaches make this campaign unethical. First is the deception of making an executable appear as an archive, and second there is no mention of the ads (such as an End User License Agreement). Users are given no options and become victims of the ad campaign as soon as they click the fake executable.

Such ads and force-fed bundled software are not malware, but they can annoy users and also take up a chunk of their bandwidth.

McAfee has blacklisted the InstallCube site and the back-end tracking service.





We also offer generic coverage of ad-producing executables as PUP-FSP, PUP-FRP, PUP-FQL, and PUP-FPA.

The post InstallCube: How Russian Programmers Turn Adware Into Cash appeared first on McAfee.

Feds used Adobe Flash to identify Tor users visiting child porn sites

A little more than 16 months ago, word emerged that the FBI exploited a recently patched Firefox vulnerability to unmask Tor users visiting a notorious child pornography site. It turns out that the feds had waged an even broader uncloaking campaign a year earlier by using a long-abandoned part of the open source Metasploit exploit framework to identify Tor-using suspects.

According to Wired, "Operation Torpedo," as the FBI sting operation was dubbed, targeted users of three darknet child porn sites. It came to light only after Omaha defense attorney Joseph Gross challenged the accuracy of evidence it uncovered against a Rochester, New York-based IT worker who claims he was falsely implicated in the campaign. Operation Torpedo used the Metasploit Decloaking Engine to identify careless suspects who were hiding behind Tor, a free service used by good and bad guys alike to shield their point of entry to the Internet.

The Decloaking Engine went live in 2006 and used five separate methods to break anonymization systems. One method was an Adobe Flash application that initiated a direct connection with the end user, bypassing Tor protections and giving up the user's IP address. Tor Project officials have long been aware of the vulnerability and strenuously advise against installing Flash. According to Wired:

Read 1 remaining paragraphs | Comments

Sony Pictures hackers make terrorist threat against opening of “The Interview”

The group that attacked Sony Pictures Entertainment’s network posted the first entry of what it's calling its “Christmas presents” on Tuesday, along with a warning to anyone who plans on going to see the Sony Pictures film The Interview—the movie that appears to be at the root of the group’s motives for its attack and dissemination of the company’s data. The "present" is apparently the personal e-mail box of Sony Pictures CEO Michael Lynton.

In a message posted to Pastebin and other text-sharing sites, someone claiming to be affiliated with the "Guardians of Peace" wrote:

We will clearly show it to you at the very time and places “The Interview” be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to. Soon all the world will see what an awful movie Sony Pictures Entertainment has made.

The world will be full of fear.

Remember the 11th of September 2001.

We recommend you to keep yourself distant from the places at that time.

(If your house is nearby, you’d better leave.)

Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment.

All the world will denounce the SONY.

The leaked file has already been removed from a number of file sharing sites after legal demands from Sony. Meanwhile, Sony has retained attorney David Bois to fight the spread of the data stolen by the Guardians of Peace by confronting media companies over publication of the data. Bois has sent letters to a number of media companies insisting that they not publish material from the leaks. "We are writing to ensure that you are aware that SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen Information, and to request your cooperation in destroying the Stolen Information," the letter stated.

Read 1 remaining paragraphs | Comments