May 2006

F-Secure
Wednesday, May 17, 2006
Posted by Kimmo @ 13:34 GMT
How’s your poker face?

Last Wednesday evening, the 10th of May, we received an interesting sample from a user. It was a normal PE executable named RBCalc.exe and the submitter described it as a rootkit. We proceeded with the sample as usual, beginning analysis on it. It wasn’t long at all before we noticed it contained a nasty surprise. RBCalc.exe, also known as Rakeback calculator, was actually a Trojan. When RBCalc.exe is run, it silently drops four executable files into the user’s %SystemRoot%\system32 folder and executes them.

The purpose of the dropped executables is to collect login information for various online poker websites from the user’s computer and send them back to the malware author. In addition, the main malware component was protected by a rootkit driver that hid its process and launch point from registry.

The serious thing here was that RBCalc.exe was distributed by checkraised.com - a website that provides tools, articles and other various applications to all poker players. As a result, many online poker players could have been affected by this targeted attack.

Monday, May 15, 2006
Posted by Mikko @ 04:07 GMT

Relating to our earlier post on the RBCalc rootkit, we’ve received some questions on what the malicious RBCALC.EXE application looked like.
Here’s some screenshots:

We’ve also updated our technical description of this backdoor, complete with a list of poker applications that are targeted:

PartyGaming.exe
mppoker.exe
poker.exe
gameclient.exe
ultimatebet.exe
absolutepoker.exe
mainclient.exe
pokerstars.exe
pokerstarsupdate.exe
partypoker.exe
fulltiltpoker.exe
pokernow.exe
multipoker.exe
empirepoker.exe
eurobetpoker.exe

CheckRaised:

NOTICE: POSSIBLE VIRUS IN RBCALC. PLEASE READ

In December 2005 we contracted a programmer to create a rake calculator for us. The rake calculator (known as rbcalc, rbcalc.exe) was an executable file that a player would run on his machine to calculate rake from hands he previously played (stored in hand history files or a poker tracker database).

It has recently come to our attention that early versions of this program that we received contained a virus that installs itself every time the user runs rbcalc.

The virus goes undetected by Norton AntiVirus and Microsoft Defender, even to this day. This is why we never noticed it until a 3rd party contacted us about the malicious software.

If you have ever used rbcalc please read the following to check if the malicious software is on your machine and how to remove it. This virus could also come bundled with other poker applications, so please read the following even if you have never heard of rbcalc.

Cyber Security Bulletin
Vulnerability Summary for the Week of May 15, 2006
Source: US-CERT

180solutions Zango downloads “required Adware components” without checking integrity or authenticity, which might allow context-dependent attackers to execute arbitrary code by subverting the DNS resolution of static.zangocash.com.

Handler’s Diary
Internet Storm Center
Different strokes for different folks, spyware and browsers
Published: 2006-05-12,
Last Updated: 2006-05-12 00:23:57 UTC by Bojan Zdrnja

One of our readers, Chris, sent us a URL to an interesting site. The site in question tries to install some spyware on the users’ machine. This in itself is not interesting, but some “more advanced” features that we’ve seen deployed on this site are.

The site creators first setup a wildcard DNS entry for their domain, so anything prefixed to their domain name will go to their web server. They needed to do this so they can try to poison Google rates and enhance their page rankings when users are searching for potential keywords. In Chris’ case, he was looking for information about one higher education institution (the attack is not limited to higher education institutions; we’ve seen a lot of other “poison” attempts from this group).

The Safety of Internet Search Engines
May 12, 2006
Ben Edelman
Advisor to SiteAdvisor

Hannah Rosenbaum
Research Analyst, SiteAdvisor

Abstract
We compare safety of leading search engines, using SiteAdvisor’s automated Web site ratings.

Key Findings
All the major search engines returned risky sites in their search results for popular keywords.
Overall, MSN search results had the lowest percentage (3.9%) of dangerous sites while Ask search results had the highest percentage (6.1%). Google was in between (5.3%).

Sponsored results contained two to four times as many dangerous sites as organic results.
There was little correlation between search result placement and safety. Page 1 results were only moderately safer than results for pages 2-5.

Dangerous sites soared to as much as 72% of results for certain risky keywords. Particularly dangerous keywords include “free screensavers”, “bearshare”, “kazaa”, “download music”, and “free games.”

We estimate that US consumers make 285 million clicks to hostile sites every month as a result of search engine results..

Copyright © is the original authors

Resident Evil
theregister.com
By John Leyden
Published Tuesday 9th May 2006

A California man has been jailed for almost five years for running a zombie network of compromised PCs.

Jeanson James Ancheta, 21, of Downey, California, used the botnets he controlled to display cash-generating adverts and as a resource he “rented” for hackers and spammers to run either denial of service attacks or junk mail campaigns.

His network of thousands of zombie computers included machines at the Weapons Division of the US Naval Air Warfare Centrer in China Lake, California, as well as other US Department of Defense PCs.

Copyright © is the original authors

revenews
Wayne Porter
May 05, 2006

I have now received the response’s from Yap Browser. Special thanks to Anna of Sunbelt and Joeseph of Facetime for taking out time to provide translation services. The controversy all started when some researchers downloaded the Yap Browser which was bundled with 180 Solutions- Zango product, and the browser was serving up what appeared to be UA Porn (Under Age Porn). This seems to be a hot topic as of late. Heck even Jimmy Daniels checks in that Google is now being sued for child porn advertising.

Per the rules of engagement I will refrain from comments here. However trackbacks are on, if your trackback does not show up please e-mail me and I will put up a summary. On to the interview…

Apple’s growing market share, new chips said making it more of a target
MSNBC
AP (Associated Press)
Updated: 4:15 p.m. ET April 30, 2006

SAN FRANCISCO - Benjamin Daines was browsing the Web when he clicked on a series of links that promised pictures of an unreleased update to his computer’s operating system.

Instead, a window opened on the screen and strange commands ran as if the machine was under the control of someone — or something — else. Daines was the victim of a computer virus.

Such headaches are hardly unusual on PCs running Microsoft Corp.’s Windows operating system. Daines, however, was using a Mac — an Apple Computer Inc. machine often touted as being immune to such risks.

Story continued:

How SSL-evading Trojans work
Trusted code, back-end defenses are the best ways to fight back
By Roger A. Grimes
May 01, 2006

SSL-evading Trojans bypass the secure and authenticated tunnel mechanisms that are the safety backbone of today’s Internet banking and financial institutions. As with any Trojan, this type can do anything allowed by the user’s security permissions.
There are three basic flavors of SSL-evading Trojan: credential-stealing, bogus SSL, and transaction-based.

Ultimately, SSL-evading Trojans can be defeated only when users stop running untrusted code — or better still, when banks deploy back-end defensive mechanisms that move beyond mere authentication protection.

Full Article here:
InfoWorld
Copyright © is the original authors

InfoWorld
By Roger A. Grimes
May 01, 2006

Robbing a brick-and-mortar bank seems like petty theft compared with a new breed of cybercrime that, according to a growing number of security experts, is siphoning untold millions of dollars from banks and their customers using SSL-evading Trojans and ever more refined phishing techniques.

Phishing with a hook
Phishing remains the weapon of choice for online bank theft — and the sleight of hand that tricks users into visiting a phishing Web site continues to get more sophisticated. Phishing e-mails now show up with the user’s address, ZIP code, or account information already filled in, indicating that professional criminals are using other, previously compromised resources to gain the trust of consumers.

Fighting the last war
Most banks and e-commerce sites fall one step behind, responding to Trojans that steal log-on credentials by creating more complex authentication schemes and implementing two-factor authentication solutions. Today, banks frequently require that users click on-screen, randomized keyboards; type in the random letters of a “magic word�?; or enter information from a hardware-based cryptographic key fob. None of these solutions works against the new breed of SSL-evading Trojans.

Copyright © is the original authors