Thursday, August 31, 2006

Stats, dialers, and hilariously bad products

People complaining about dialer requests, puzzled surfers, strange requests of installation of suspicious software on otherwise clean sites; welcome to Netvision's latest scam: "free" stats with hidden dialer installation.

It all starts with people looking for "free" stats for their website; since many do not have the possibility to install a server-side visitor statistics for their web page, they look for free alternatives. Never mind that these are always hideously inaccurate, unreliable, and often come with ugly logos to boot: people want statistics. Some services, such as Shinystat, have been around for many years; although this service represent a minor annoyance with its tracking cookies, it's nothing compared to the crap that comes with freestat.ws, mystat.ws, puntostat.com, and all the other creations of Netvision/Carima, one of the worst trojan/dialer pushers in the world.

"Freestat.ws" claims to offer free statistics with no limitations: all you need to do is publish the code that they give you on your web page. But let's take a look at an example this so-called code:

<script type="text/javascript" language="JavaScript" src="http://www.freestat.ws/logo.asp?utente=17166"></script>

This is a simple JavaScript that we can download and analyze:

$ wget --user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" http://www.freestat.ws/logo.asp?utente=17166

The first thing we notice is an iframe with zero height and width. Now, anybody who has ever seen malware installations knows how much these scammers love small iframes. This one from the page also points to a site with a moronic name, also a bad sign:



So let's see what that is:



The JavaScript function location.search returns the parameters in the querystring, in this case st=1&p=2, so we can replace location.search with "st=1&p=2", remove the first "if", turn the document.write into an alert and see what the page calls. Which turns to be:

http://http-ssl256-number-secure-systemiiieifuf666777lliiiiiliiili-com.net/winsc1/script-2.asp?st=1

And there already we spot the first dialer:





We can also note that in the same page, the page checks the response timings of the JavaScript, avoiding loading the dialer if the user has adsl or faster connection. Also, it just won't give up: if you say "no" to the installation, it will prompt you again to install their so-called "100% virus free" (yeah, right) crap. And again. And again.

But let's go back for a while. Now, the first page also contained a commented-out link to another page on another domain:



Which turns to be this:



"Protected with Web Encrypt 2.4"? Uhhhh... color me scared.

Please. This kind of protection is trivial to break. The grammatically-challenged homepage for Web Encrypt says "ultimate HTML & Javascript code protection". Give me a break. Not only this thing breaks accessibility, slows down web pages, and gives a totally false sense of security, it's also the favorite tool by scammers in their stupid attempts at hiding malware installations.

By the way, just how hard is it to break this so-called "encryption"? It took me about 6 minutes, and I'm actually ashamed it took me so long:



The linked page,
http://software-free.org/winupg/script.asp?id=2&wm=17166 calls another trojan/dialer installation, this time on
http://deposito.hostance.net/dialer/605684.exe

Like the one before, this page also checks the loading time (this time that of an image, on
http://138.188.193.166/adsl.jpg) and prompts the installation of the trojan only for modem-like timings.

In the end, never ever put up a "free" web statistics on your web page if you are not sure what they provide. Also, block these domains as soon as possible, as they are all related to the ugly Netvision/Carima dialer crap:


software-free.org (dialer loader pages)

trafficredlight.net (trojan repository)

hostance.net (trojan repository)

138.188.193.166 (trojan "loader checks")

freestat.ws (dialer scam stats)

specialstat.com (dialer scam stats)

statistiche.ws (dialer scam stats)

webmobile.ws (dialer scam stats)

superstat.info (dialer scam stats)

megastat.net (dialer scam stats)

puntostat.com (dialer scam stats)

http-ssl256-number-secure-systemiiieifuf666777lliiiiiliiili-com.net (dialer loader pages)

67.15.56.230 (counter/trojan dialer starter)

free-default-update-win-mac-free-antivirus-nospam-download.net (Netvision-related crap)

Saturday, August 26, 2006

Gromozon: all you need to know

After some sleepless nights, and after quite a few warnings on my part about the nastiness, it seems something is definitely moving.

The merit goes to Marco Giuliani of PrevX, who collected collected a few of the discoverings by me and other researches, but most importantly all his own discoverings (which are very detailed, and include great behavior analysis of the threat on an infected system).

Head on to Marco's pdf here.

Use this link if you have problems with the one above.
microscopic-scrabbly