Categories
Security

Mysterious case of the broken browser

A friend of mine asked me to take a look as to why Google and Bing were inaccessible using Firefox. I dove in and realized that they were also unreachable using Internet Explorer, Chrome, and even command line ping. It became apparent that the hosts file had been hijacked. In fact, these entries were the only ones present:

87.229.126.50 www.google.com
87.229.126.51 www.bing.com

I swiftly removed them from the hosts file and both websites loaded fine. But what had put them there? With a working browser, a quick search revealed that those addresses were not legitimate and something had clearly hijacked the machine.

Knowing my friend to be an avid Malwarebytes Anti-Malware user, I checked the quarantine and found several objects. The main files appeared to be dplayx.dll and dplaysvr.exe and had several registry entries allowing them to start with the computer. I sent the files to Adam Kujawa, a Malware Intelligence Analyst working with me at Malwarebytes. Adam confirmed that this malware was responsible for the hosts file redirection.

However, a further analysis revealed a more cynical side. Adam continued by saying that “all binaries analyzed were heavily packed with custom obfuscation methods and employed anti-debugging tricks which made them a pain to get through” and that “the use of the filenames dplayx.dll and dplaysvr.exe is important because the names belong to legitimate applications and are integral parts of Direct X.”

While not new, the use of these particular filenames shows that malware authors are still trying to hide their executables behind legitimate names.

Categories
General

Holy spam, Batman!

As I arrived in London this morning I opened up my phone’s e-mail client and saw upwards of 1,000 e-mails downloading. At first, I had no idea what was going on, but then I realized they all had the same subject, “Please stop supporting the New York Times traitorous propaganda.” Spam, and lots of it. They are still coming in at one per minute.

Image of a sample e-mail attached. Anybody else getting these?

Categories
Security

Check if you’re a digital pirate

With all of the SOPA talk this month, I figured an article on piracy was deserving. Being able to pinpoint users of pirated software is becoming easier and more accurate. For example, check out YouHaveDownloaded.com, a website that lists the torrents you may have downloaded in a certain time span. While the website is not perfect, for those who have static IP addresses, it can get pretty close and provide you a list.

In one article on CNET, it was mentioned that “someone in the home of French President Nicholas Sarkozy, a strong proponent of anti-piracy legislation, has been using BitTorrent to download pirated versions of music and movies.”

If the Stop Online Piracy Act passes in the United States, I’m sure technology to track torrents and other illegal downloads will improve. Consequently, imagine the privacy concerns I have for Internet users. This proof-of-concept website is scary enough!

Categories
Security

Malware in a barcode

Quick Response codes, also known as QR codes, are two dimensional barcodes originally invented by the automotive industry to keep track of parts during manufacturing. However, these barcodes can hold any type of information and were quickly adapted to all types of different industries. Most smartphones now have applications that can quickly read and process QR codes. You simply point your camera at the barcode and take a picture.

The QR code generated above contains a link to this domain. While QR codes themselves do not contain malware, imagine a barcode that takes you to a malicious website. One that uses an exploit in your smartphone to install unauthorized applications. The possibilities are endless and as this technology becomes more popular, there becomes greater motivation to find ways to exploit it. John Vezina put it best when he said, “I could, if I wished, print out dozens of QR codes and peel and stick them to bus stops, power line poles, or anywhere the things can stick to.”

Categories
General

Malwarebytes brand exploited through search

It’s not often that I search for the term Malwarebytes on Google. I know how to get to my own company’s website by typing it into the address bar. However, when a friend or family member asks me how to get to our website, I almost always instruct them to search.

Unfortunately, there exists a market where bad people benefit by preying on our users. They create websites which advertise that they distribute Malwarebytes and instead, download a product of their own onto our user’s machine. They advertise on Google and turn up in search results. I’d equate this to a cereal company packaging their generic, less delicious brand into a Cheerios box and putting it on shelves.

If you see a page like this, it is fraudulent and you should go directly to www.malwarebytes.org instead.

It makes me sick, and I refuse to let it go on. Today, I instructed our legal team to pursue all of these cheaters in hopes that we can wipe them from the face of the Internet.

But that’s not all. How far is too far? Should advertisers on Google be allowed to use company names as keywords? If I search for Cheerios, should the first advertisement be for the generic brand? It’s allowed, a common practice, and in my opinion completely unethical.