Observation:

The crappier the software the more goofy the name e.g. zango or the latest iteration - Platrium…I thought only drug companies did this! (Put an X here and Z there and push it through testing…okay Bob)

CARNAGE

It just goes on and on and on…see some random date in 2006 or a more frequent rant. (see  below)

…So long and thanks for all the fish. I doubt the FTC will do much about Platrium, but it does sound like a drug so maybe the FDA might get involved. This is proof positive that people really don’t like garbage on their computer. No matter what kind of “value proposition” you think you have. I enjoyed the steel cage matches.

Pwnage Value +50 
PhailScale Score: 7

Ken Smith even dropped in to give me a good beating…HI Ken!

Ken Smith Says:
When I realize that this is what passes for reasoned discourse amongst Zango’s sharpest critics, it gives me a great deal of hope that Zango is on exactly the right path. Criticism this inane should surely be interpreted as high praise.

Ken Smith (former Zango CTO and still Zango cheerleader)

Naturally being friendly I gave him my own take.

Ken,

When did you get the idea the post was a conversation? I ended conversations long based on Zango’s HISTORY…which is well documented and frankly quite lacking. I mean get real…you need some movies or jpgs, etc?

Nothing personal- but I do not care for Zango…I am hardly your sharpest critic…the model “sounds” good…but Zango never had or really tried to control the distribution base. Proof in the pudding.

For the record- people should have the right to download zango (if there is reasonable and obvious consent not some “sendkeys” attack…why they would seek it out is beyond me…

-Wayne

How About a Dose of Facts?

Kung-fu forces cannot keep paperghost away and more boards go flying….check this piece out in computerworld

“Adware vendor Zango profits from pirated movies, says researcher…

August 18, 2008 (Computerworld) Adware company Zango Inc. profits from copyright infringement, a Harvard University researcher charged today, after the company claimed that sites serving up links to pirated movies were operating within its rules when the sites pressed users to install Zango’s software.

The sites, Movietvonline.com and Bestcinemaonline.com, list dozens of recent movies and popular TV shows, including the recent blockbuster The Dark Knight. That was the film that caught the eye of Chris Boyd, the director of malware research for FaceTime Communications Inc., who last week said he had spotted Zango installation prompts on both sites.

“They want you to agree to install Zango in order to view whole movies, some streamed on the movietvonline site from other sources, others in the form of broken up downloads hosted on file-downloading sites,” said Boyd in a post to the FaceTime security blog last week.

…here are some of the inner goodies paperghost nailed. Pirated Movies! What a value proposition.

Popularity: 3% [?]

Share This

So here is the final- we think– wrap-up to the Wall-E Spyware madness…

From Sandi’s blog:

Well, for what it’s worth, I haven’t been able to find anything nefarious in either the UK or USA targeted installers for the wall-e inspired game that Symantec detects as a keylogger.  Wayne reports that Sunbelt’s new VIPRE product has found nothing.  TrendMicro also does not detect a problem.

I have installed the US and UK versions of the software in a VM with Process Monitor running and did not see any sign of Ardamax being installed by the game demo.  I have not tracked down why there is a difference in file size.

There is a chance, of course, that the installers that I downloaded behave differently in a VM, and I don’t have a sacrificial box available for live testing at the moment, but be that as it may, until and unless I find evidence to the contrary, I am assuming that the Symantec alert is a false positive, hoping I don’t have to eat crow later.

 Timeless bangs away at the thing and updates his website and in the process rules out DNS poisoning.

 Christopher Boyd a.k.a. paperghost weighs in at the SpywareGuide.com blog (with a nice wrap-up of events)…and comments that both VIPRE nor VirusScan On Demand turned up anything odd…

The real mystery is way the file size discrepancy? Curious. All the people I spoke with tend to agree it is probably a false positive (still not 100% sure-since VMWare was used), but what a nasty time to have one- during the launch of a major Disney movie…Let’s see what Symantec does…

ADDENDUM: Appears AVAST also flags the file as well…

Popularity: 4% [?]

Share This

Sandi Hardmeier, Microsoft Security MVP, has made an interesting observation about the current WALL-E download spyware business.

From her blog:

As you can see, the UK version of the game (which is the game that the original complainant downloaded), is 177 megabytes, as is the French version, the German version, the version for Denmark, and the version for Italy).  The US version, on the other hand, that I started downloading is only 133 megabytes.

The Australian version is the same name, and size, as the USA version.  The same can be said for the versions for Denmark and Sweden and Finland and Spain.

The 177 meg versions all have unique file names - the 133 meg versions offered for download all have the same file name.

So, the first question is, why is there a 44 megabytes difference in size?  The installer for the Ardamax Keylogger is nowhere near that size.

It will be interesting to see the install test results for the two versions, once they finally finish downloading - they are coming down SLOWLY…..

 

Makes me wonder what else might be in the .exe Sandi???…some folks (like Sandi and Tom) are running the bloated binary through the wringer so maybe we will have some MD5 checksums and the like to examine. Bill Pytlovany underscores why this is a big deal (if it proves to be true) and why malware and spyware fighting is a never ending and rather frustrating business.

It’s always a pleasure to meet other security minded people but it’s troubling when it’s related to a new threat for our kids. My grandson Tristan went to the movies to see Disney’s new Wall-E and so did my new security friend who has the blog “Timeless Journeys”.

Kids…going to see a Disney movie and getting something nasty in the process from a game- and traffic analysis shows the canonical domains are hopping after the movie release…

I have seen it too many times to know what reality can be. e.g. Google Blogspot JS header injection or garbage like yapbrowser (another blast from the past.). I still hope it is a false positive- which will also be curious as I am sure neither Disney nor Pixar want to be associated with spyware…I hope.

Popularity: 4% [?]

Share This

The Situation:

Just caught this over at Timeless Prototype’s blog and I have long been an opponent of spyware, this incident, if true, is truly revolting.

The Problem:

“You know it’s a sad time we live in when keyloggers are detected in games targetted at kids.

Yesterday (Saturday) I saw Wall-E at the movies with friends and family. Much anticipated, very impressed and I loved it. Next task was to check out the Wall-E game. Bonus, there is a game demo for the PC to download, here’s the link BUT DON’T CLICK IT - http://wall-e.playthq.com/. “

Given the Sony rootkit debacle, (for those with long memories), nothing is out of the question.

The Damage:

The Wall-E game was loaded with Spyware.Ardakey. It comes in two flavors (lite and regular) and it is a recorder of keystrokes. The program may perform the following functions:

-Keystroke logging
-Log transferring via email
-Log transferring via FTP
-Hiding and Unhiding its tray icon using the Ctrl+Alt+Del+H key combination
The infected file, assuming we rule out a false positive (which can happen) comes from a canonical domain owned by CacheFly. They specialize in hosting downloads and streaming media delivery. They serve some big names like Pluck, iolo Software, Cerulean Studios, Betanews.Com and Ars Technica. Basic traffic analysis shows quite a bit of exposure to the various sites (two domains reside on the box)

Three Basic Questions:

a) Is this a false positive? I tend to think that is unlikely given the unique thumbprint (see some below), but I haven’t performed a full dive. However it makes no sense to load a keylogger into a commercial game. There is simply no business case for this.

• %UserProfile%\Start Menu\Programs\Ardamax Keylogger\Help.lnk
• %UserProfile%\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk
• %UserProfile%\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk
• %ProgramFiles%\NSK\AKV.exe
• %ProgramFiles%\NSK\license.txt
• %ProgramFiles%\NSK\menu.gif
• %ProgramFiles%\NSK\NSK.002
• %ProgramFiles%\NSK\NSK.003
• %ProgramFiles%\NSK\NSK.004
• %ProgramFiles%\NSK\NSK.005
• %ProgramFiles%\NSK\NSK.006
• %ProgramFiles%\NSK\NSK.007
• %ProgramFiles%\NSK\NSK.chm
• %ProgramFiles%\NSK\NSK.exe
• %ProgramFiles%\NSK\qs.html
• %ProgramFiles%\NSK\tray.gif
• %ProgramFiles%\NSK\Uninstall.exe
• %ProgramFiles%\Ardamax Keylogger\AKL.exe
• %ProgramFiles%\Ardamax Keylogger\kh.dll
• %ProgramFiles%\Ardamax Keylogger\il.dll
• %ProgramFiles%\Ardamax Keylogger\AKV.exe
• %ProgramFiles%\Ardamax Keylogger\Uninstall.exe
• %ProgramFiles%\Ardamax Keylogger\license.txt
• %ProgramFiles%\Ardamax Keylogger\qs.html
• %ProgramFiles%\Ardamax Keylogger\tray.gif
• %ProgramFiles%\Ardamax Keylogger\menu.gif
• %ProgramFiles%\Ardamax Keylogger\AKL.chm
• %ProgramFiles%\Ardamax Keylogger\akl.001
• %ProgramFiles%\Ardamax Keylogger\akl.002
• %ProgramFiles%\Ardamax Keylogger\akv.ini

B) Was the poisoned file a result of internal sabotage? This can happen- an insider or a ticked off employee.

C) Were the Cachefly servers compromised and/or during that time was the legitimate file swapped out with the logger?

I really cannot say, and I am sure more will to light as this is really too large to ignore– knock knock paperghost grab a 9-iron.

(Yes - I know there are other scenarios, but three questions seem enough. )

ADDENDUM:

Cachefly has responded to me via e-mail.

“I can confirm that our servers were not compromised, beyond that I can’t offer much else.”

and a follow-up e-mail:

Obviously we’d like to be as helpful as possible, but since it’s related to customer data we’re rather limited in what we can discuss. I’ve opened a ticket to make THQ aware of this, and we can/will work them on tracking stuff down if we need to (we do have a history of all versions of a file w/ filesizes/md5 checksums, and the dates/times/src ip of all revisions).

So they are now aware and the md5 checksums should prove definitive. Hopefully they will release these to the security community. (hint)

Timeless Prototype has uploaded some more pictures and Bill Pytlovany, maker of the highly regarded WinPatrol, and security expert checks in via Twitter.

Popularity: 5% [?]

Share This

Cool Department

NPR unveiled its new API. An API is a way to grab content and make mashups or other neat things. API stands for Application Program Interface. Code jockeys can create widgets for blogs or Facebook apps taking advantage an archive of more than 250,000 stories going back to 1995.

NPR’s API provides a flexible, powerful way to access NPR content, including audio from most NPR programs, text, images and other web-only content from NPR and NPR member stations.

Once registered you can access the API by constructing a URL with parameters indicating what stories you want the API to return. The default format of the results is NPRML, a custom XML structure specifically designed to represent all of NPR’s digital content.

The API can also return results in RSS, MediaRSS, JSON, Atom and through HTML and JavaScript widgets with more result options promised.

Check it out! http://www.npr.org/api

Popularity: 3% [?]

Share This