Swatkat's rants

twitcurl - C++ twitter API library

noreply@blogger.com (swatkat) — Wed, 02 Sep 2009 03:46:00 +0000

twitcurl is an open-source pure C++ library for twitter REST APIs. Currently, it has support for most of the twitter APIs and it will be updated to support all the APIs. twitcurl uses cURL library for handling HTTP requests and responses. Building applications using twitcurl is quite easy:

Compile twitcurl source files (twitcurl.h and twitcurl.cpp) and link with cURL library (libcurl.lib) to build twitcurl.lib
Include twitcurl.h in your twitter based application and link to twitcurl.lib and libcurl.lib/libcurl.dll.
Instantiate an object of twitCurl class and use the twitter API wrappers that are exposed as public methods.

twitcurl works on all OS (Windows, Linux, Mac etc.) as it is written completely in C++ and the only dependency is cURL (which works on all OSes mentioned earlier). More info about the twitcurl library along with an example program is available here:
http://code.google.com/p/twitcurl/

Wolfram|Alpha launches

noreply@blogger.com (swatkat) — Sat, 16 May 2009 16:00:00 +0000

Wolfram|Alpha is finally launched! Wolfram|Alpha is a computational knowledge engine that to interpret the questions/queries and tries to formulate answers. It is not a search engine, it is a combination of encyclopedia and real-time data mining. Wolfram|Alpha tries to structure the information scattered in world wide web. It could be great for scientific (physics, mathematics etc.) queries as it uses Wolfram Mathematica to compute answers. It is still in alpha stage and has a long way to go. Try it out!

By the way, Wolfram|Alpha has answer to life, the universe, and everything. It's 42 ;)

And, you will see this when Wolfram|Alpha website traffic exceeds its bandwidth limit:

Google is working on a similar tool called Google Squared, which aims to structure the unstructured information.

New rogue: AV Antispyware

noreply@blogger.com (swatkat) — Sat, 18 Apr 2009 16:21:00 +0000

AV Antispyware is new rogue software that belongs to MS Antispyware 2009 family. The AV Antispyware installer is dropped by a fake codec hosted at http://lvl-softwares.com (195.88.80.41) (do NOT visit this site).

VirusTotal scan result for the dropper can be found here, and AV Antispyware removal guide can be found here.

Waledac's new geo-sensitive social engineering

noreply@blogger.com (swatkat) — Wed, 18 Mar 2009 14:40:00 +0000

Waledac spammers are using yet another social engineering tactic to spread their malware. As usual, the spam mails contain link to dubious websites. One of such spam mail can be seen in the following screenshot:

These websites look like a Reuters news webpage reporting "powerful bomb blasts" near your area/city, with a video clip embedded in it. To see the video, the site persuades you to download a fake Flash Player.

These fake websites are geo-sensitive and they figure out the place/city of a visitor (based on visitor's IP address) and report it as the location of "bomb blasts". This technique is called geo-targeting. An innocuous PC user may fall for this trick by thinking that bomb blasts have really occurred in his/her area and download the fake Flash Player! Following screenshots show the location sensitive website content (check the place where blasts are reported; they change based on the visitor's gepgraphical location):

As of now, fake webpage is located at yyr.breakingkingnews.com (81.241.128.178) (whois).

VirusTotal results of the malware hosted at the above site can be found here and here. An automated analysis by ThreatExpert can be found here.

SysProt AntiRootkit v1.0.1.0 released

noreply@blogger.com (swatkat) — Sun, 15 Mar 2009 17:50:00 +0000

Another update for SysProt AntiRootkit! The latest version, SysProt AntiRootkit v1.0.1.0, contains few bug fixes and enhancements. The changelog is as follows:

Added a "activity bar" to indicate scan progress
Optimzed device driver scanning
Added help file
Fixed process and driver scanning bugs in Windows 2003 SP1 and SP2

Get the latest version here.

Yauba - Privacy Safe Search Engine!

noreply@blogger.com (swatkat) — Thu, 12 Mar 2009 18:25:00 +0000

Yauba is a brand new search engine from India. Yauba's search result quality is great and is comparable to that of Google. Yauba neatly organizes the search results and also shows text/image previews of websites.

One of the important features of Yauba is its stress of user's privacy and security. Yauba operates in complete incognito mode and does not collect any personal data. Their privacy policy goes like this!

Here's an excerpt from Yauba's site, which tells us about their privacy practices:

Most search engines try to gather and record as much information about their users as possible. They (or their parent companies) operate massive server farms with even more massive databases that secretly record your entire search history, your private contacts, the identity of your family and friends, your personal emails, your conversations and chats, your browsing habits, your physical location, details on the software you use on your computer, your IP address, and much much more. This is no exaggeration. Indeed, if you ever saw exactly how much most search engines actually know about your private details, you would be completely shocked.

At Yauba, we completely reject the view that search engines somehow need to keep mountains of data on their own users. Instead, we take the exact opposite approach. We do everything we can to protect the privacy of our users.

This is why we do not keep any record of any of your search terms, browsing habits or any other personally identifiable information.
This is why we automatically delete any and every piece of personally identifiable information from our servers on a continuous basis.
This is why we can have the shortest privacy policy (9 words) of any major Internet service in the world.
This is why you can visit almost every Internet site through the main Yauba service on a completely anonymous basis (with the only exception of file types that use other external third party software or plug-ins for downloading or playing).

Yauba is still in Beta/Late-Alpha state, and I think it is a very good service. Try Yauba at http://www.yauba.com/

SysProt AntiRootkit v1.0.0.9 released

noreply@blogger.com (swatkat) — Sat, 07 Mar 2009 20:52:00 +0000

Here's the latest version of SysProt AntiRootkit. Now, SysProt AntiRootkit v1.0.0.9 supports Windows Vista (32 bit)! Check out few screenshots that show SysProt AntiRootkit in action:

Kernel modules:

SSDT hooks:

Kernel inline hooks:

Following list summarizes the changes in SysProt AntiRootkit v1.0.0.9:

Added Windows Vista support
Improved device driver detection
Faster "Kernel Hooks" scan
Faster "Ports" scan

The latest version can be downloaded from here. Supported operating systems are Windows 2000/XP/2003/Vista, 32 bit versions. Feedback is welcome :)

New rogue: IE-Security

noreply@blogger.com (swatkat) — Mon, 26 Jan 2009 14:29:00 +0000

IE-Security is new rogue software that belongs to IEDefender family. The IE-Security installer, ie.exe, is hosted at 216.240.151.112 and http://ie-security.com (216.240.151.135). The user-interface of IE-Security is a rip-off of Microsoft Windows Defender.

VirusTotal scan result of IE-Security installer can be found here. By the way, people at IE-Security provide 27x7 support ;)

Files dropped by IE-Security installer:

%PROGRAMFILES%\IE-Security\ies.s1

%PROGRAMFILES%\IE-Security\ies.s2

%PROGRAMFILES%\IE-Security\ies.s3

%PROGRAMFILES%\IE-Security\ies.s4

%PROGRAMFILES%\IE-Security\iescan.exe

%PROGRAMFILES%\IE-Security\uninstall.exe

%USERPROFILE%\Desktop\IE-Security.lnk

%USERPROFILE%\Start Menu\Programs\IE-Security.lnk

where,

%PROGRAMFILES% is \Program Files\ directory in root-drive,

%USERPROFILE% is \Documents and Settings\UserName\ directory in root-drive.

Registry keys created by IE-Security installer:

HKEY_CURRENT_USER\Software\IE-Security

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "IE-Security"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE-Security

AntiSpyware 2009 and AntiSpywareBOT: Neighbours in crime!

noreply@blogger.com (swatkat) — Mon, 26 Jan 2009 10:38:00 +0000

Well, 590-B Schillinger Rd. South, Mobile, Al, 36695 seems to be the John Doe of addresses. Recently ParetoLogic blog posted about the address of the makers of rogueware AntiSpyware 2009. It seems that the headquarters of 2Squared, makers of rogueware AntiSpywareBOT, is also located in the same street. Even these guys have got a high-tech, high-profile CGI office ;)

Fake Obama websites spreading malware

noreply@blogger.com (swatkat) — Sat, 17 Jan 2009 18:53:00 +0000

Similar to eCard spam mails, we are now seeing US president-elect Barack Obama themed mails which contain links to fake websites. These sites host a malicious executable and this malware belongs to the same old Storm/Waledac family. One such mail and a fake website (http://donate.superobamadirect.com) are shown in following screenshots:

These fake sites are hosted using fast flux DNS technique - a typical method used by Storm botnet. It can be seen from the following screenshot that the IP address keeps changing frequently:

VirusTotal scan result of the malware can be found here. An automated analysis by ThreatExpert can be found here.

Fake eCard updates

noreply@blogger.com (swatkat) — Wed, 07 Jan 2009 19:50:00 +0000

Fake eCard spam mails continue to circulate even after the new-year excitement is settled down. As usual, these mails contain links to downloadable fake greeting cards that are generally named "card.exe" or "postcard.exe".

When executed, these malicious executables turn your PC into a zombie machine that becomes a part of Storm/Waledac botnet (more information can be found here and here).

Newer variants of fake eCard executables (hosted at http://topgreetingsite.com - do NOT visit that site! ) are not detected by many AVs as of now (as seen in VirusTotal scan here). An automated analysis of this file is available at ThreatExpert here.

SysProt AntiRootkit v1.0.0.8 released

noreply@blogger.com (swatkat) — Tue, 06 Jan 2009 17:49:00 +0000

A few key improvements were made in driver detection and disabling mechanisms, and hence here's the latest version of SysProt AntiRootkit :) The SysProt AntiRootkit v1.0.0.8 successfully detects and removes Zlob rootkits (TDSServ or Alureon family).

Similar to the steps followed in the case of GMER (as mentioned in the previous post), SysProt AntiRootkit requires two reboots to completely remove rootkit driver and its Registry entry. Following screenshots show SysProt AntiRootkit detecting Zlob rootkit driver and injected DLL:

Steps to remove Zlob rootkit driver:

Run SysProt AntiRootkit v1.0.0.8 and click "Kernel Modules" tab.
SysProt AntiRootkit shows rootkit/hidden drivers in red color. Click on the rootkit driver's entry and the click "Disable"
Reboot the PC
Repeat steps 1 to 3 (SysProt AntiRootkit will detect the same rootkit driver again)

Now, all the malicious files dropped by Zlob should be unrooted and hence "visible" to standard anti-malware scanners.

More information, changelog and download link for SysProt AntiRootkit v1.0.0.8 can be found at following locations:
MajorGeeks
Softpedia
SysProt AntiRootkit primary download page

Feedbacks are welcome :)

Zlob fake codec rootkit removal procedure

noreply@blogger.com (swatkat) — Wed, 31 Dec 2008 17:28:00 +0000

Lately there has been a rise in rootkit based Zlob fake codecs and video players. The rootkit belongs to TDSServ family, and is quite difficult to remove using standard anti-malware tools. Now, we will see how to remove these rootkit based Zlob malware. This removal procedure holds good for Zlob variants that drop kernel mode rootkits such as BrakePlayer, Moon-Player, TurboPlayer and Light-Track etc.

The removal process consists of three steps:

Removing rootkit driver file and its Registry entry
Removing other malware files dropped by Zlob installer
Removing stray "shell open command" entry (a.k.a malicious autorun.inf file)

Download the following tools and install them (do not run them as of now):

Removing rootkit driver file and its Registry entry:

Launch GMER.exe. As soon as GMER starts, it performs a preliminary system scan. If it finds any traces of rootkit, it will ask you to run a full PC scan. Click "No" for this prompt.
Now, click on "Rootkit/Malware" tab and then select only "Services" checkbox (deselect all other scan options). Click "Scan" button to start scan. An example is shown in screenshot below.
GMER should show the rootkit service after the scan. Right-click on that entry and click "Delete Service". Click "Yes" for the prompts that pop up. An example screenshot is shown below.
Reboot the PC.
Run GMER again and repeat steps 1, 2, 3 and 4 again (GMER will again detect the same rootkit service again).

Note: If GMER does not detect any rootkit in its preliminary system scan (in Step 1 above), then you may not have kernel-mode rootkit variant of Zlob (or GMER is not detecting it ;)). Proceed to the section below.

Update: Zlob rootkit driver can also be removed using SysProt AntiRootkit. More information can be found here.

Removing other malware files dropped by Zlob installer:

Run Malwarebytes' Anti-Malware (MBAM), click "Update" tab and then click "Check for updates" button to download latest malware database.
Once the update completes, click "Scanner" tab and select the "Perform full scan" option. Select all the hard disk partitions (C:\, D:\ etc) and then click "OK" to start scan.
Once the scan completes, remove all the malware that MBAM may report. An example screenshot is shown below.
Reboot the PC.

Removing stray "shell open command" (a.k.a malicious autorun.inf file):

Go to Start Menu > Search option to open Windows Search tool. Make Search to look in sytem/hidden folders and files. Finally, search for files named autorun.inf. An example screenshot is shown below.
These autorun.inf files contain few commands which instruct Windows Explorer to load a Zlob malware file (generally, %rootdrive%\resycled\boot.com) whenever a user double-clicks on drive icons. Delete all the autorun.inf files found in hard disk partitions (for ex: C:\, D:\ etc)
Reboot the PC.

Finally, run an online scan at F-Secure or TrendMicro to make sure that the PC is clean. Hopefully, the Zlob rootkit will be gone for good by this time!

Rogue security software video tutorials

noreply@blogger.com (swatkat) — Tue, 30 Dec 2008 18:15:00 +0000

This is really hilarious. It seems that the rogue software gang decided to improve OOBE of their software! They now have video tutorials at YouTube, which tell how to run online malware-scan and how to remove malware using their software for FREE! Check out these screenshots of the video:

Here are the links to some videos:
http://www.youtube.com/watch?v=jykJ1erupZ4
http://www.youtube.com/watch?v=FSQ0WpoyZJo

Video uploaders' profiles:
http://www.youtube.com/user/AntiVirusSpywareMalw
http://www.youtube.com/user/OkThisJustAnti

The webiste, www.antiviruson.com (89.111.176.21), mentioned in those tutorials redirects to another website that hosts System Security rogue application. Do NOT follow the steps told in those tutorials ;)

Zlob updates

noreply@blogger.com (swatkat) — Sun, 28 Dec 2008 17:35:00 +0000

Zlob gang does not seem to be in holiday mood. They are churning up more domains to spread their badware. Here are some of the new domains:

94.247.3.232
216.240.151.112
78.159.99.52
www.newdllsolution.com (92.241.163.90)
http://brakeplayer.net (94.247.2.183)

One of the site mentioned above, http://brakeplayer.net (94.247.2.183), hosts a fake media player installer called BrakePlayer. This installer actually installs a nasty kernel mode rootkit. Following screenshot shows the kernel mode hooks installed by rootkit driver:

The backdoor component of this rootkit establishes connection with a remote rogue server 85.255.112.188 (whois). VirusTotal scan results for the installer and rootkit driver files can be found here and here respectively.

Update: BrakePlayer removal procedure has been posted here. Hope that helps :)

New rogue: System Security

noreply@blogger.com (swatkat) — Fri, 26 Dec 2008 16:18:00 +0000

System Security is new rogue software. The installer is hosted at http://webnetworksecurity.com (91.211.64.31). Here's a screenshot of System Security:

VirusTotal scan results for the installer can be found here. BleepingComputer has a removal guide here.

Zlob updates

noreply@blogger.com (swatkat) — Mon, 22 Dec 2008 17:20:00 +0000

Here are some of the new Zlob trojan spreading domains:

http://vidzwares.com (92.241.163.90)
http://light-player.net (94.247.2.183)
http://fire-player.net (93.190.140.48)
http://downloadallsoft-now.com (94.247.3.228)
http://myprivatetubes09.net (91.208.0.221)

One of the Zlob variant (named wmpcdcs.exe, hosted at http://myprivatetubes09.net) uses Microsoft Windows Background Intelligent Transfer Service (BITS) to communicate with rogue servers to transfer data. Since BITS is a trusted Windows component, firewalls don't block it; making it easy for malware to download files from remote servers (info here and here). An automated analysis of this malware is available at ThreatExpert here.

Antivirus 360 featured in top PC magazines and antivirus certification labs!

noreply@blogger.com (swatkat) — Sun, 21 Dec 2008 11:54:00 +0000

No, we are not talking about Norton 360, which is a genuine security software. This is about Antivirus 360, one of the latest rogue security software (info here).

Now, gang responsible for Antivirus 360 has gone one step further! Their new site, http://anti-viruspcscanner.com (78.46.216.238), claims that Antivirus 360 has been rated as top antivirus solution by reputed websites like Computer Shopper, LAPTOP Magazine, PC Magazine, Computer Active, PC Advisor and CNET.

Apart from this, they also blatantly display Virus Bulletin, West Coast Labs Checkmark and ICSA Labs certifications, which are obviously fake!

All these fake recommendations and a deceptive name may lead an innocent PC user to download Antivirus 360 into his/her PC.

As per the site http://anti-viruspcscanner.com (78.46.216.238), the company responsible for Antivirus 360 is:

BOLZAR LIMITED Arch. Makariou III. 69. TLAIS TOWER. P.C. 1070. Nicosia, Cyprus.
Contact email: company@Antivirus360pro.com

And, it seems that BOLZAR LIMITED (http://bolzar.biz (216.195.62.169)) develops few other fake security software as well:
Antivirus Security - http://antivirussecurity-solution.com/ (89.149.255.191)
Antispyware32 - http://antispyware32.com/ (84.16.231.194)

VirusTotal scan result of Antivirus 360 is available here. An automated analysis of Antivirus 360 is available at ThreatExpert. Stay away from these rogues :)

eCard worm: The new batch!

noreply@blogger.com (swatkat) — Sat, 22 Nov 2008 16:52:00 +0000

After a brief period of inactivity, eCard themed spam mails seem to be back in action. As usual, these mails carry links to malware masqueraded as e-greeting cards. Here are some examples of eCard mails (note that the From header is spoofed):

This eCard malware is a mIRC based backdoor, and most of the AVs detect it. The dropper is actually a SFX file, following screenshot shows files bundled in the dropper:

When run, the dropper installs an mIRC client and also adds a WH_KEYBOARD message hook to log keystrokes. The mIRC client tries to establish connection with remote servers 89.46.165.197 (whois) and 210.51.167.75 (whois). An automated analysis of this malware is avilable at ThreatExpert.

Zlob and Vundo team up!

noreply@blogger.com (swatkat) — Thu, 20 Nov 2008 03:51:00 +0000

Recently, noticed few rogue websites that are pushing both Zlob fake codec and Vundo trojan. Usually, Vundo trojans spread in the form of keygens or cracks. However, the gang behind Vundo seems to be collaborating with Zlob gang to spread malware in the form of fake codecs!

Here's one such website, aaibberlinoschlosschn.com.cn (69.61.96.245), hosting both Vundo and Zlob. A Zlob installer is offered for download if "Continue" button is clicked, and a Vundo dropper is delivered when "Download free player" link is clicked.

VirusTotal scan results for Zlob and Vundo droppers are available here and here respectively.

Moon-Player

noreply@blogger.com (swatkat) — Fri, 07 Nov 2008 17:16:00 +0000

Moon-Player is one of the latest fake video codec/player by Zlob/DNSChaner gang! Moon-Player installer is dropped by the standard Zlob fake codec infection technique. An example of a dropper-website and installer is shown here:

Moon-Player installer is hosted at http://moon-player.com (203.169.164.18) (whois info). This particular Zlob variant is highly dangerous as it drops rootkit based spyware and also adds malicious DNS servers. Following HijackThis entry shows the rogue name servers added to the "NameServer" list of the system:

O17 - HKLM\System\CCS\Services\Tcpip\..\{27C05F16-264E-4B56-9C02-90A5B7D0A17D}: NameServer = 85.255.112.143;85.255.112.94

These name servers are located at Ukraine and whois information can be found here and here.

The rootkit component is a user mode rootkit that hides files by hooking APIs of ntdll.dll. Following screenshots show rooted file and hooked APIs:

The rootkit also injects a DLL into few of the standard Windows processes (alg.exe and spoolsv.exe), as shown in below screenshot.

The injected DLL C:\Windows\System32\Dll.dll actually does not exist, and the file that is really injected is C:\Windows\Temp\tempX.tmp (where X is some random number). This can be seen from the DLL information shown by IceSword. It seems that the injected file changes its name in the module list maintained in process PEB, to a dummy/non-existent one.

VirusTotal scan result of the installer can be found here. An automated analysis of the installer can be found at this ThreatExpert page.

Update: A Zlob (Moon-Player and other fake video players) rootkit removal tutorial has been posted here.

SysProt AntiRootkit v1.0.0.7 released!

noreply@blogger.com (swatkat) — Mon, 03 Nov 2008 16:07:00 +0000

Here's a quick update on SysProt AntiRootkit. Various improvements were made in SSDT hook detection and hidden files scanning feature. And as a result, here's the latest release - SysProt AntiRootkit v1.0.0.7.

Download SysProt AntiRootkit v1.0.0.7 from MajorGeeks. Your feedback is welcome :)

Supported operating systems: Windows 2000/XP/2003 32 bit.

SysProt AntiRootkit v1.0.0.6 released!

noreply@blogger.com (swatkat) — Sun, 02 Nov 2008 18:11:00 +0000

Here comes the latest version of SysProt AntiRootkit, with various improvements over the previous version. Following list summarizes the improvements in SysProt AntiRootkit v1.0.0.6:

Improved hidden drivers and services detection
Improved driver/service disabling feature
Improved process killing mechanisms
Added DLLs view for processes (double-click on a process to see loaded DLLs)
Brand new hidden and locked files/folder scanning
Color coded display (hidden items are displayed in red color)
Ability to filter the display to show only hidden items
Various optimizations in driver for better performance and stability

Here are some screenshots which show SysProt AntiRootkit v1.0.0.6 in action:
Processes view:

DLLs of a process:

Hidden drivers:

Hidden and locked files:

SSDT hooks:

Download SysProt AntiRootkit v1.0.0.6 from MajorGeeks. Feedback is welcome :)

MSoftCodec

noreply@blogger.com (swatkat) — Sun, 02 Nov 2008 08:47:00 +0000

MSoftCodec is yet another fake codec belonging to Zlob trojan family. The dropper, MSoftCodec.exe, is hosted at 1st-download-software-base.net (206.51.225.218) (whois info). As of now, detections are poor as demonstrated by this VirusTotal scan.

Fake DivX codec

noreply@blogger.com (swatkat) — Sun, 26 Oct 2008 08:36:00 +0000

Here's a new Zlob fake codec variant, which touts itself as DivX codec. The dropper is named as DivXCodecPKG.7.exe and is hosted at http://softawe-download-forpc.com (66.232.126.78). Whois information for this domain can be found here.

As of now, detection by AVs are not good. VirusTotal scan result can be found here.