There appears to be a new social engineering attack making the rounds of registered owners of Web sites that have SSL encryption certificates. I have a large number of Web sites, and so far I've only received emails to the technical address of sites which have SSL (security) certificates on them.

*** WARNING *** WARNING *** WARNING ***
This attack is currently live. DO NOT attempt to visit the URLS in this email if you do not know what you are doing!

The emails come from a phony From: address that is system@[thewebsitename.com]. Each email takes the form:

Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.[thenameofthewebsite.com].secure.ssl-datacontrol.com/ssl/id=712571016-[email address of registered contact]-patch257675.aspx

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

So for example if you have a Web site called "theweaselstore.com" and your email address is "headweasel@theweaselstore.com" you may receive an email claiming to be from: system@theweaselstore.com, which tells you to click a link that looks like

http://updates.theweaselstore.com.secure.ssl-datacontrol.com/ssl/id=712571016-headweasel@theweaselstore.com-patch257675.aspx

Needless to say, the "patch" you download from this address is a computer virus.

---

This is one of the most sophisticated social engineering attempts I've seen to date. It seems to be going after a very specific group of people: people who own secure Web sites. The email itself is custom-tailored to look as much as possible like it comes from the system operators of the Web site in question, and the payload is delivered from a hostile server with a URL that has the address of the target site owner's Web site embedded within it.

My suspicion, though I have not taken the time to analyze the payload, is that it is a key logger, and that the virus writers are attempting to get FTP credentials for the target Web site.

Being able to hack secure Web sites would offer the hacker a treasure trove of advantages. First, secure Web sites may contain customer information, transaction records, payment histories, and credit card numbers for the site's customers.

Second, a phony bank or eBay site placed on a secure server is more convincing, because the phony site can be accessed using "https://" and will have the browser padlock indicating that the site is secure, which may help it to fool more people.

I've mentioned in this post how a Web address can be designed to fool people. It does not matter what's in the address except for the part in front of the very first / character; so for example if you see a Web address that looks like

http://www.ebay.com.ws.eBayISAPI.dll.signin.ru/?SignIn&ru=12345

you are not on eBay. You can see where you are by looking at the part just before the first / which in this case is

http://www.ebay.com.ws.eBayISAPI.dll.signin.ru/?SignIn&ru=12345

a site called signin.ru in Russia.

Similarly, in the URLs in these hacker emails, the key part of the URL is

http://updates.theweaselstore.com.secure.ssl-datacontrol.com/ssl/id=712571016-headweasel@theweaselstore.com-patch257675.aspx

The computer virus is being distributed from a site called "ssl-datacontrol.com".

---

ssl-datacontrol.com lives on servers belonging to an ISP called trouble-free.net, which is now a subsidiary of another ISP called interserver.net.

Trouble-free.net is an ISP I'm very familiar with. As near as I can tell, the "trouble" they are free of is meddling trouble such as legal issues, or those pesky problems you might have with having your spam or phish site shut down; they have, in my experience, a long and ignoble history of hosting viruses, spammers, pirate software sites (notorious credit card fraudster and pirate Art Schwartz has been hosted on trouble-free.net for over five years), and other criminal content.

The whois for ssl-datacontrol.com is, unsurprisingly, Russian:

whois ssl-datacontrol.com

Whois Server Version 2.0

Domain Name: SSL-DATACONTROL.COM
Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.CEDNS.RU
Name Server: NS2.CEDNS.RU
Status: clientTransferProhibited
Updated Date: 05-oct-2009
Creation Date: 05-oct-2009
Expiration Date: 05-oct-2010

>>> Last update of whois database: Mon, 12 Oct 2009 21:44:52 UTC <<<


Registrant ID: HEIGAAS-RU
Registrant Name: Elena V Zhuravlyova
Registrant Organization: Elena V Zhuravlyova
Registrant Street1: Orekhovyi boulevard
Registrant Street1: d.31 kv.72
Registrant City: Moscow
Registrant State: Moscow
Registrant Postal Code: 115573
Registrant Country: RU

Administrative, Technical Contact
Contact ID: HEIGAAS-RU
Contact Name: Elena V Zhuravlyova
Contact Organization: Elena V Zhuravlyova
Contact Street1: Orekhovyi boulevard
Contact Street1: d.31 kv.72
Contact City: Moscow
Contact State: Moscow
Contact Postal Code: 115573
Contact Country: RU
Contact Phone: +7 499 2678638
Contact E-mail: awoke@co5.ru

Registrar: ANO Regional Network Information Center dba RU-CENTER

---

So in short what we have is a very sophisticated, highly directed attack targeted at Web site owners who are using SSL security certificates on their Web sites, being conducted through emails which create a custom From address and custom attack URL for each specific victim.

The same rules apply to this as to all emails:

- DO NOT believe the From: address of an email. Ever.

- DO NOT respond to ANY security alert, question, or prompt you receive in ANY email. Ever. No matter who it appears to be from.

- Learn to read Web site URLs. DO NOT trust any part of a URL except the part immediately in front of the first slash.

I blame the_xtina for the fact that I discovered this evening what appears to be a large, coordinated, and widespread attack on multiple Web hosting providers.

I hadn't actually intended to do any computer security stuff today; my plans for the evening involved playing WoW. the_xtina speculated during an IM conversation this evening about the existence of Viking porn, so naturally I did a Google search, and got rather more than I expected.

A Google search for "viking porn" turns up a few hits with a Google "this site may harm your computer" tag. Both of the first two I looked at--because I can't stay away from the "this site may harm your computer" tag--had a couple of interesting things in common: they were hosted on iPower Web, the notoriously insecure Web host I've written about on several occasions in the past; both had malicious redirection files in a directory named /backup/, both used a complex series of traffic redirectors before ending up at the malware site proper, and both were heavily seeded throughout Google using a very large number of popular pornographic and non-pornographic keywords.

In other words, all the hallmarks of the Russian Zlob gang. God, how I hate those people.

I widened the Google search using both common keywords (like "porn") and keywords I know the Zlob gang favors, and specifying inurl:/backup/ as part of the search.

What I ended up with was a VERY long list of compromised Web sites, each with a directory named /backup/ containing large numbers of files stuffed full of keywords and each of which redirects through a series of redirectors to a site that attempts a drive-by malware download.

( Click here for more technical details (down the rabbit hole we go!) )
Edited to add: Many, but not all, of the hacked sites also have invisible iFrames placed on them which load content from http://microsotf.cn/ or http://updatedate.cn/.

The first isn't resolving for me at the moment. The second is, but returns a blank page when loaded directly; again, it's probably checking the browser for exploits and attempting to download malware in the background.

Michael Jackson is scarcely a few days dead and the malware writers are hard at work using the news of his death to spread computer viruses.

This morning I received an email telling me (in Spanish) that there was a YouTube video of Michael's death on the Internet, and I could see it (oh boy!) by visiting

http://youtubemichaelj.com

*** WARNING *** WARNING *** WARNING ***
This site is live as of the time of this writing. DO NOT visit this site if you don't know what you're doing. This site WILL attempt to download a Windows virus onto your computer.

The Web site looks just like YouTube, and presents a phony blank movie player image with a "An error occurred, please try again later" message in it, then attempts a drive-by download from

http://youtubemichaelj.com/Codec/120.exe

The download is a bit unwieldy for malware (1.8 MB in size)--much too large to be a variant on Zlob, Asprox, or any of the other malware commonly distributed as phony movie-player CODECs. I don't believe I've seen this particular malware before.

The registration information is most likely bogus. The site was registered yesterday:

whois youtubemichaelj.com

Whois Server Version 2.0

Domain Name: YOUTUBEMICHAELJ.COM
Registrar: DOMAINPEOPLE, INC.
Whois Server: whois.domainpeople.com
Referral URL: http://www.domainpeople.com
Name Server: A.DNS.HOSTWAY.NET
Name Server: B.DNS.HOSTWAY.NET
Status: clientTransferProhibited
Updated Date: 29-jun-2009
Creation Date: 29-jun-2009
Expiration Date: 29-jun-2010

Registrant:
T---- G---- (youtubemichaelj.com)
(WHOIS information redacted)
US

Registrar: DomainPeople Inc.

Domain Name: youtubemichaelj.com
Created on .............2009-06-29-14.36.03.127000
Expires on .............2010-06-29-14.36.03.000000
Record last updated on .
Status .................ACTIVE

Administrative Contact:
T---- G----
(WHOIS information redacted)

The site's hosted on Hostway. Hostway is an unusual choice for a virus dropping site; they're fairly clean, and a bit pricey. I suspect that the site will be disabled soon.

Given the choice of hosting companies and the size of the malware download, I am wondering if the people responsible for this malware aren't fairly new to the game. More experienced malware and virus writers, like the Zlob gang, prefer to host on hacked sites, screen their hosts behind a network of redirectors, and store the actual payload itself on servers in Eastern Europe.

According to this article on CNet News, the Federal Trade Commission has just shut down an ISP called Pricewert, which had sought to act as a one-stop shopping center for spammers, child porn, botnet operators, and virus and malware distributors.

Pricewert operated as a Web host under a bunch of different names--3FN.net, Triple Fiber, APS Communications, and a bunch of others.

I first became aware of 3FN back in February of 2008, when I started seeing spam for all kinds of porn sites hosted on their IP space. The spam I saw generally involved URLs hosted on 3FN that redirected to the affiliate sites of large pay-for-access porn sites--a common spam tactic I've seen before, especially from big-name offenders like Streamate.com.

Pricewert/3FN's business extended well beyond spam, though, and into hosting for botnet command and control servers, virus droppers, malware distribution, and even kiddie porn. In other words, about business as usual for an ISP in a place like the Ukraine or Latvia, but somewhat surprising for an ISP in the US. (Somewhat surprising, at least, until you consider that the founder of Pricewert/3FN was from the Ukraine, where the business culture is such that hosting malware, child porn, and botnet control servers is part of any ISP's normal revenue stream.)

And here's the part where I get all Ranty McRanterson.

What's really, really, really disappointing to me is how poor the US ISPs and backbone providers are at policing themselves, and how even egregiously illegal activity is tolerated by the vast majority of Internet service providers.

3FN's upstream providers knew that 3FN was a rogue ISP hosting criminals involved in spam, viruses, and malware. I know for a fact that they knew this, because I told them myself, with detailed evidence. In February of 2008. And in March of 2008 (four times). And in June of 2008. And in July of 2008. And in...well, you get the idea.

There is, in the world of ISPs and Internet connectivity, a tacit understanding that any sort of illegal activity, including identity theft, malware, fraud, and computer virus distribution, will be tolerated so long as it doesn't create too big an uproar and so long as ISPs occasionally move the offenders around from one IP address to another. Even child pornography is not going to create a problem so long as the hosting ISP removes or moves the child porn if they receive complaints.

ISP abuse employees do not generate revenue for an Internet company. In fact, they cost a company revenue. For that reason, ISPs will often hobble their own abuse teams (I sent seven complaints to one ISP about a hacked server on their network over a period of two months, only to be told that the abuse people were not permitted to take down the server until eight weeks after they had notified the owner to fix the problem--which is about like calling the fire department because your neighbor's house is on fire and the flames are spreading to your house, only to be told that the fire department would mail a notice to your neighbors, and would send the trucks out in eight weeks if the neighbors hadn't taken care of the problem themselves by then).

ISPs make money by selling hosting and bandwidth to people. Every site they take down is lost revenue; every downstream service provider they cut off is a lot of lost revenue. They're not going to lose that revenue unless they're forced to.

Case in point: The rogue hosting provider McColo, which was notorious for hosting child porn, computer viruses (they were a preferred host for the Russian Zlob gang and for the Asprox virus gang), and credit card identity theft rings (Fraudcrew hosted sites on McColo), yet remained merrily in business, with no problems from their upstream providers, for four years in spite of the fact that it was widely known and publicized that McColo catered exclusively to criminal clientele.

And, sadly, that's the norm, not the exception. Upstream and backbone providers will cheerfully provide connectivity to known-rogue ISPs even though the rogue ISPs violate not only the law but also the upstream providers' Terms of Service. Global Crossing, a mainstream, respectable business, knew that McColo was hosting computer viruses and child porn; they simply didn't care. The money of organized crime spends just as well as the money of honest businesses, and often there's more of it.

In the ISP world, often government intervention is the only way to shut down these operators. History has proven, conclusively, beyond all shadow of doubt, that ISPs and connectivity providers absolutely, positively can not be counted on to police themselves; left to their own devices, they will permit just about anything to happen on their networks. The ongoing corrupt business practices of US ISP Calpop, for example, is ample proof of that.

It pisses me off to no end to see an entire industry that has, for all intents and purposes, quietly agreed to permit organized crime, identity theft, and child pornography on their networks as long as there's not too much of a fuss about it, and to take action only against the one or two most extreme offenders after many years of operation. While I do not normally see government intervention as a good way to solve business problems, in this case I do not believe the ISPs will ever police themselves effectively, or even want to; there's too much money in allowing this sort of network abuse. Given how widespread the problem is, I do not think there is any solution other than tighter regulation of criminal activity on the backs of ISPs' networks.

Mac users, we had a three-month respite. The Russian Zlob gang, which last September lost its servers that were distributing the Mac DNSchanger malware when the corrupt hosting company EST Hosts went dark, are back after Macs again.

Just discovered a server being used to spread Mac malware from

http://brakeplayer.net/download/get7003.dmg
*** WARNING *** WARNING *** WARNING *** This link is live as of the time of this writing. The payload, named get7003.dmg, contains a new version of the Mac DNSchanger, aka OSX.RSplug.A, OSX.RSplugin.A, or OSX/Zlob, computer malware.

The malicious server brakeplayer.net is brand new and is hosted in Latvia, on an ISP called "zlkon.lv".

whois brakeplayer.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: BRAKEPLAYER.NET
Registrar: REGTIME LTD.
Whois Server: whois.regtime.net
Referral URL: http://www.webnames.ru
Name Server: NS1.BRAKEPLAYER.NET
Name Server: NS2.BRAKEPLAYER.NET
Status: ok
Updated Date: 26-dec-2008
Creation Date: 15-dec-2008
Expiration Date: 15-dec-2009
Name servers:
ns1.brakeplayer.net
ns2.brakeplayer.net

Registrar: Regtime Ltd.
Creation date: 2008-12-15
Expiration date: 2009-12-15

Registrant:
Nikolaj Selivestrov
Email: paul.aspen111@gmail.com
Organization: Private person
Address: ul. kosmonavtov, 132-13
City: Moskva
State: Moskovskaya
ZIP: 129301
Country: RU
Phone: +7.4957854978

I've also noticed an uptick in the number of hacked Web sites hosted by iPower Web lately. As I've talked about extensively here, here, here, and here, iPower is basically a mess. For more than a year now, hackers have been walking all over their servers, planting virus redirectors in sites that are hosted by iPower or their subsidiaries.

For a while, the number of attacks against iPower dropped to next to nothing, and I thought that they'd fixed their security problem. Now, Im not so sure--now, I think that iPower is as compromised as it always has been, but the hackers toned down the attacks when they started getting attention. Can't prove it, but my hunch is there's a long-standing zero-day exploit in vDeck, iPower Web's home-grown Web control panel software.

I think we're going to be seeing more Mac malware in the near future.

I've spent quite a lot of time in this journal posting about a particular group of Russian computer virus writers, starting from when I first discovered last year that my name was being used to poison Google keyword searches and drive traffic to Web sites that attempt to download malware onto computers. (Does that make me an official net.celebrity?) I've made it something of a hobby to follow this particular group, and have written about how they have repeatedly hacked an ISP called iPower Web to spread viruses, and how they've built an elaborate underground computer network to funnel traffic to virus-infected Web sites.

Along the way, they've changed tactics a number of times. The hacks against iPowerWeb are still ongoing, though they seem to have slowed; at the height of the attack, iPower was hosting tens of thousands of newly-hacked Web sites per day, though now it's slowed to a paltry trickle...at any given time these days, there are only a couple hundred hacked Web sites living on iPower's servers. When the post about iPower first went live last December, I was flooded with emails from folks saying "My Web site is hosted by iPower and I've been hacked!" and I even got two phone calls from iPowewr customers whose Web sites had been penetrated. (Yes, my phone number is out there, for folks who want to dig it up. No, I'm not gonna tell you what it is.)

The interesting thing about this particular computer gang is their adaptability. They're constantly changing targets, and as time goes on their underground network grows larger and more resilient.

In the past, they've planted redirectors to malware sites on hacked Web servers, they've exploited security flaws in software like phpBB and WordPress to redirect traffic to virus droppers, they've set up fake FaceBook profiles that redirect visitors to virus-infected sites, and they've even created fake Google Groups to direct traffic to virus sites.

In the past couple of weeks, though, I've seen a whole new approach, and it's all about exploiting open redirectors.

( We're going to get technical under here! )

Now comes the rant.

Folks, if you use a redirector anywhere on your site, it is *** ABSOLUTELY *** ***IMPERATIVE *** that your redirection script checks the browser referrer to make sure the referrer is your domain.

I can not stress this enough. This is easy to do; takes one, or, at the most, two lines of code. You MUST do this

That way, if someone clicks on a Google link to your redirector, it won't work.

This is a simple, easy thing to do. Yet many, many people do not do it, and as a result, they unwittingly allow their redirectors to be hijacked to poison Google results and spread computer viruses. One particularly notorious offender here, which I've seen abused in exactly this way, is the WordPress plugin called OZH Click Counter. The purpose of the plugin is to track link popularity, but it is vulnerable to this kind of abuse.

If you own a WordPress blog, I strongly, strongly recommend that you DO NOT install the OZH Click Counter plugin, or any similar plugin hat uses an insecure redirector. I've seen many examples of Google links to malware droppers that take the form

www.somewordpressblog.com/content/go.php?http://www.somevirussite.com

It doesn't matter how obscure your site is. If you have an open redirector on your site, sooner or later it will be abused; the hackers use automated tools to search the Web for such redirectors.

...and not even twelve hours after Obama's acceptance speech, Eastern European organized crime are using America's feelings about this historic moment to spread computer viruses.

A little while ago, I posted about a gang of computer criminals who, while building a network of hacked computers to use to spread viruses and fake bank sites, had hacked a system belonging to the US Department of Defense.

Those very same criminals are now hitting my inbox with messages attempting me to visit a server that downloads a computer virus disguised as a news story about Barack Obama's victory.

I've received two of the emails so far. Both are formatted the same way, and are identical in formatting to the phish emails that masqueraded as a bank "security update." The first carries a subject line reading "Obama win sets stage for showdown;" the second, "Priorities for the New President - TIME". Both come from the forged email address "news@unitedstates.com".

( First, the technical stuff about how this computer virus is being spread. )

Okay, so that's the technical angle. The social angle is more interesting.

In the past, this particular group of criminals has contented itself with your standard, garden-variety phishing scams. They send out emails that read, for example,

"Attention all Bank of America Consumers.

At Bank of America, the security of your information is paramount. Our systems and security procedures are designed to keep your personal and financial data confidential at all times.
You also have a significant role to play and should adopt the following practices to help keep your personal and financial information protected from unauthorized use - Keep Your Internet Banking Session Secure and set up SSL Certificate."

The site that you go to when you click the link looks just like the Bank of America site, but of course it's not; and the "security certificate update" it downloads to your computer is, of course, a computer virus.

The new emails, though, have been branching out a little. They've been experimenting with using come-ons not related to banks, like this one:

"Dear Classmates customer.

Classmates Day 2009 soon! Video Invitation from your Classmates "2009 Classmates Day Announcement!" prepared to view.
Reunite Your High School Classmates and Celebrate This Day! Your Classmates Are Waiting to Hear From You!"

And, natch, the "video invitation" is actually a computer virus.

Today, Barack Obama's victory has given them a new angle:

"Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!"

The "video" of his amazing speech is--you guessed it--actually a computer virus.

The Russian criminals behind this have demonstrated themselves to be adept at keeping track of hot-button issues and using them to exploit those folks who are inclined to believe every email they read.

It's interesting that these scams succeed, in part because the Web sites set up by the criminals have telltale markers of fakery all over them. The people responsible for these scams do not speak English as a first language, so the Web sites masquerading as banking sites or news sites tend to be replete with spelling and grammar errors.

Yet folks don't seem to notice.

I wonder if this isn't a side effect of America's culture of anti-intellectualism; learning and knowledge are so despised that people either expect their bank's Web site to be covered with spelling mistakes and grammar errors...or, worse yet, people don't notice the spelling mistakes and grammar errors.

The site that tries to download a virus disguised as Barack Obama's speech, claims to be "America.gov: Telling America's Story" and then says "Introduction America.gov. Look amazing speech of new president."

So it turns out we may see a respite, even if only for a while, in new infections with the Mac DNSchanger malware.

The story starts with an Estonian company operating out of the US, called ESTdomains, and its associated Web hosting company, ESThosts. ESTdomains is the preferred domain registrar for Eastern European cybercriminals, who often host viruses and malware on its sister company ESThosts.

ESThosts relies on an upstream ISP called Intercage for its connection to the Internet. Happily, Intercage, which has long turned a blind eye to all kinds of criminal activity on the Internet, finally crossed the line and was dropped by its service provider. An new upstream provider rode to its rescue, only to have its packets dropped by an Internet backbone provider.

Why is this happy news for Mac users?

A while ago, I mapped out an underground network of virus and malware droppers, some of which were being used to spread the Mac version of the Zlob, aka OSX.DNSchanger, OSX.RSplug.A, or OSX.RSpluginA, malware.

Many of the sites that spread this malware were disguised as porn sites. Other sites were legitimate sites that had been hacked. Still other sites contained outdated, insecure versions of popular blogging or forum software such as WordPress and PHPnuke, and had been hacked to carry redirectors to the malware. Still other sites disguised the malware as antivirus software, or browser plug-ins, or any number of other things.

But--and here's the interesting part--all of these fake porn sites, hacked blogs, hacked Web sites, hacked forum sites, and bogus software sites all pulled the malware from the same repository, a server living at IP address 64.28.178.27.

Which is in Intercage's IP space, and so is currently unreachable.

Meaning that as of right now, the one server being used to spread the Mac DNSchanger malware is offline.

Now, I have no doubt that the bad guys are going to move the Mac malware to a different server at some point. But they are going to have to rejigger the rest of the network to point to the new server, which will take time. In the meantime, we should see a lot fewer infections with this malware.

This has been a hella productive past few days, and I am well and truly pleased.

The first chapter of the book on polyamory is done, finished, put a fork in it. Proposals have been sent out. Chpter 2 is started. Chapter 3 is halfway done.

Downed the first two bosses in Serpentshrine Caverns and the first two bosses in Tempest Keep with my new raiding guild. My mage rocks like a rocky thing. It's just a pity she's Alliance.

Got a surprise phone call on Friday. The attacks against iPower Web, which are not only ongoing but are getting more sophisticated (since I wrote that last, the number of compromised iPower sites has surged again), are coming to the attention of iPower's customers. I received a phone call from a woman whose site had been hacked (twice!), and she had iPower on the phone when she called me.

The tech support monkeys at iPower told her that--get this--there's no vulnerability on their servers, and that her account was compromised because the attackers brute-forced her FTP password. Which was...err, sixteen characters, both letters and numbers, long.

*blink*

Anyway, she gave them the what-for and pulled all her sites off iPower. Maybe if they start losing enough customers, they'll fix their damn security.

And on the subject of Web sites, I've updated mine. I don't know what I'm going to do when I have a book in print and can't keep tinkering with it.

Last night, David and I tried playing as a team against six computer opponents in Age of Empires II. High difficulty, lowest resource setting. It was a humiliating debacle. We well and truly got our asses handed to us. Barely made it into the Imperial Age before the computer's armies closed around us and systematically scraped us off the map.

In two weeks I'll be in Chicago; planning to be there from the 19th through the 24th. Looking forward to spending time with dayo and scathedobsidian, I know you'll be around. amorsalado, dwer, will you guys be available?

So the past few weks have been rough on Microsoft and on Adobe. First, a flaw in Microsoft SQL Server allows ASP sites to be compromised by a general SQL injection attack; then a flaw in the Adobe Flash player allows a miscreant to hijack the Web browsers of people with the Flash plugin installed.

In both cases, the vulnerabilities have been exploited to try to redirect surfers to a Web site at www.dota11.cn, which hosts a malicious script that tries to infect users' computers with a virus.

That's the old news.

The funny news--and believe me, I think this is fucking hysterical--is that one of the Web sites clobbered by the SQL injection attack is redmondmag.com, a Web site that is "the independent voice of the Microsoft IT community." It's a pro-Microsoft, look-how-great-we-are "news" site that has been so massively infected that...

uh...

...well, if you Google it, Google gives you a "this site may harm your computer" warning.

Many of the infected Web pages are pages about computer security--or, at least, apologies for Microsoft products masquerading as articles on computer security.

I know, I know, the real assholes here are the hackers, but still...goddammit, I can't stop laughing.

And it gets harder when ISPs are aware of security problems on their network but don't care. And believe it or not, I'm not talking about iPower this time.

Actual IM transcript from a conversation with xmission.com:

Tacit: You are hosting a phish.
Tacit: ftp://webmaster:webmaster@204.228.142.40/.ws/eBayISAPIi.dll
catalyst: chill, you could send a notification to abuse@xmission.com or to phish@ebay.com or whatever they have now
Tacit: Sent it two weeks ago.
Tacit: And a week ago.
Tacit: No response, phish still active.
Tacit: Two weeks is a long time.
Tacit: Your abuse@ address appears to be routed straight to /dev/null.
catalyst: I'm not an xmission employee, so I can't help, just thought I'd recommend some alternatives
rostrax: Abuse is a valid e-mail address and it is looked at.
rostrax: That would be my suggestion on what to do.
Tacit: Again?
Tacit: How many times do you think I should send the same email to abuse@xmission.com before I conclude that xmission supports and condones hacks and phishes on their network?
rostrax: How many times have you sent it?
Tacit: Four.
Tacit: First one two weeks ago.
rostrax: I cannot speak for our abuse team, but I'm sure they've looked into it
Tacit: If they'ved looked into it, and it's still active, what conclusion would you draw from that?
Tacit: 204.228.142.40 is on your network, yes?
rostrax: It is one of the IP's we have yes.
Tacit: And if you click on the above link, you would agree that it is definitely an eBay phish, yes?
rostrax: You have to understand business' have certain ways of handling these things. It may take some time. Please be patient with us, if you could send another e-mail I would appreciate it greatly. Also cc it to rostrax [at] xmission.com
Tacit: I do understand that businesses operate certain ways; I run one myself. Two weeks to handle a phish? Even China Netcom deals with phish sites faster...
rostrax: I'm unsure of our particular policy, but if you can send the e-mail and cc me on it, I will look into it on Tuesday

---
Edit: It gets better. Apparently, this phish has been active on Xmission's network since at least April 9th.

So a while ago, I posted extensively about an underground network of computer virus distributors that I'd uncovered while pursuing American ISP iPower Web about their ongoing, chronic security problems which I first wrote about last December.

It seems that in the brave new world of the Intertubes, crime does pay. It pays very well indeed, in fact. The network I documented earlier has morphed and changed radically in the past few weeks, and become larger and more resilient. In addition, a new attack vector has emerged: attacks on old, outdated versions of WordPress weblog software.

I know that a lot of folks on my flist maintain their own WordPress blogs. Please, please, please, if you run WordPress or know somebody who does, update your WordPress software. It's quick (takes about five minutes) and easy, and all versions of WordPress prior to 2.5 should be considered completely insecure.

In the past couple of weeks, I've noticed a huge surge in WordPress hack attacks, to the point where last Monday there were more hacked WordPress systems than hacked iPower Web sites that were being used to redirect folks to Eastern European virus downloaders. It seems quite likely that the hackers are using automated tools to find and automatically attack old WordPress installs, though one person I've spoken with says he believes his WordPress install was attacked through an insecure FTP username and password that was brute-force guessed as well.

The network that is being used to distribute viruses is being fed from a lot of different sources: hacked iPower sites (of course), hacked WordPress installations, Google Groups set up as malicious redirectors, custom attack domains piggybacked on top of legitimate Web URLs, and hijacked phpBB and phpNuke installs seem to be the most common. For an update on what's going on in the seamy computer underground, and a new map of the computer distribution network:

( Clicky the link! (We are going to get technical here) )

Note: Followup to this entry at http://tacit.livejournal.com/240750.html

So apparently, Macintosh users are now the targets of Eastern European organized crime.

First, a bit of backstory. Last December, I wrote an article about how I had done a Google search for my name and uncovered a massive hacking attack against a Web hosting company called iPowerWeb. iPower, a company in Phoenix, Arizona, has trouble securing their Web servers, and Russian organized crime can hack any Web site hosted by iPower completely at will.

That was last December. Today, as I write this, iPower still has not fixed their server security; each day, a whole crop of new Web sites hosted by iPower is hacked, and the hackers plant redirectors on the site that are designed to snare unwary visitors and send them to servers in Eastern Europe that attempt to infect users with computer viruses.

For the past couple of months, I have been emailing iPower every day with new lists of hacked Web sites they're hosting. Each day, I bug them to fix their computer security. Each day, they remove the virus redirectors that I tell them about, but they do not fix their server security; so the next day, more of their Web sites are hacked. Some poor sots who host Web sites with iPower have had their sites hacked over and over again.

In the past 48 hours, the nature of the hacks has changed. Between December and now, the hacks were all the same; the hackers would penetrate an iPower Web site, create a directory on the site named /her, create a directory on the site named /bad, and then create a directory with a one or two digit number as a name. The redirector pages would go in the numered directory. This made spotting hacked iPower Web sites trivially easy.

About two days ago, the hackers began changing the naming scheme of the directory. This led me on a path to discovering an entire network of compomised Web sites, feeding into an elaborate underground network of computers used to distribute computer viruses.

And they're distributing Mac viruses now, too.

( If this stuff interests you, read on! (We're about to get technical here.) )

Last December, I was monkeying around on the Internet doing a Google search for my name, and I discovered a massive security breach at a major Web hosting company that eventually made it to The Register.

So today, I was monkeying around on the Internet doing a Google search for my name, and...

...wait for it...

...discovered that iPower has been hacked again, and hundreds more Web sites hosted by iPower have been penetrated by Russian organized crime and used to spread computer viruses. ( Want to know more? )

Apparently, my LJ post yesterday freaked some folks out; I got contacted almost immediately after it went up by a startling number of people asking for more information. Softlayer.com was on top of the problem with remarkable swiftness, and as of today the intrusion into their servers appears to have been corrected--all the hacked domains I was able to identify on their network are fixed.

( Cut for folks who don't much care for the technical details about this sort of thing... )

Note: Followups to this entry at http://tacit.livejournal.com/238112.html (part 1) and http://tacit.livejournal.com/240750.html (part 2)

UPDATED 13-December-07 10:50 EST Updates indicated in text
UPDATED2 14-December-07 1:05 PM EST Updates indicated in text
UPDATED3 14-December-07 2:00 PM EST Updates indicated in text
UPDATED4 02-January-08 2:44 PM EST Updates indicated in text

So I recently decided, like many folks do, to Google my name. I do this periodically, because it's always fun to see how many sites are linking to me (and I'm in the process of building a list of non-English mirrors of my polyamory site -- it's been translated into Polish, Hebrew, German, and a bunch of other languages, which is cool).

And in the process, I think I've discovered what might be one of the largest-scale cases of Web site hacking and virus distribution I've ever heard of.

A little background is in order. If you've used Google for any length of time, you probably know that when you Google popular keywords you'll often run into "spam pages." These are pages that are just stuffed full of keywords at random; in the Google search results, they will have titles like "tribadism fight scenes, free tribadism porn video Britney Spears, make money fast terrorism Iran big cock" and have excerpts that look like "she shoved it in and bridal hosiery wedding cake viagra fetish smurf Bible amateur transvestite video free vacation europe nymphomaniac ipod". These are spam pages; they are filled with hundreds of keywords, and if you click on them, you will be redirected to the spammer's site. They exist just to intercept popular Google searches and direct traffic wherever the spammers want it.

They are also popular with virus writers. Virus writers will create thousands of fake Web pages filled with popular keywords, then use those Web pages to servers that will attempt to automatically download viruses onto the computer of anyone running Windows who's unwary enough to click on them.

Okay, so.

Yesterday, I did a keyword search for my name. Normally, I get about nine pages of results; but yesterday, I got 56 pages of results, over 200 in all.

Most of these pages look like this:

The polyamory news franklin veaux mitt was rigid enough to prevent me from either closing them too hard or opening polyfamilies polyamory for the practical them too far. She raised my left hand and fastened it in a similar polyamory weekly podcast manner, into a similar latex mitten.society for human sexuality polyamory info "I just wondered. You were standing there with a dazed polyamory open wedding vows look on your face playing with that cucumber and I thought something might world polyamory association presentations and workshops franklin veaux. Once inside, he polyamory san diego quickly stripped off his apron and polyamory cape coral unfastened his belt and pants. It was nearly as big as Mark's, and open relationships polyamory that pleased her. Quickly unbuttoning her blouse to reveal her tits. page personal poly polyamory web He gently squeezed them, making her moan deep in her throat.

---

UPDATED3: I've looked at some of the random text on these pages, and it's not really random at all--it's a short porn story with random keywords seeded throughout it. It contains a number of statistically improbable phrases. One of these is "Ashley had always wanted to go there"--doing a Google search for that exact phrase results in 13,800 hits--nearly every single one of which is a spam redirector.

---

You get the idea. "Oh, well, this is interesting," thought I, "polyamory, and my name, have become popular enough Google web searches that the spammers are including them in spam pages now."

I clicked on some of these result links, curious to see who the spammer was and what site he was trying to direct traffic to.

And that's when things started to get weird. What I found was a very large, highly organized campaign to direct Web traffic to servers hosted in Eastern Europe that would infect visitors with a computer virus, all orchastrated by a single person or group of people and all being done by what appears to be a massive breach of hundreds and hundreds of hacked Web sites, all hosted by the same ISP--the largest single Web site security breach I've heard of.

If you want to keep going down the rabbit hole: ( Follow me! Things are about to get very technical here. )

Computer viruses. If you're running a Windows computer, the odds are slightly more than 9 in 10 that your machine, right now, is infected with at least one virus. If you're not behind a firewall and you're on broadband, odds are good that when you leave your computer at night, spammers take control of your computer and use it to send spam, and Russian mafia roots around in it at will.

Microsoft would have us believe that there is nothing wrong with Windows, that there are many Windows viruses and zero Mac viruses because more people use Windows than Macs and virus writers go for the most popular platform, and that there are just as many known Mac security flaws as Windows security flaws.

This argument breaks down for a number of reasons. it's commercially useful to Microsoft, of course; if people actually knew how badly and terminally insecure Windows really is, fewer people would use it, so it is very important to Microsoft's bottom line that people accept the standard "nothing wrong here, it's just because Windows is so popular" myth.

For starters, the number of "Windows computers" targeted by a particular virus is not necessarily higher than the number of Macs. People make the mistake of thinking all "Windows computers" are all running the same operating system--an operating system called Microsoft Windows.

( Problem is, there is not an operating system called Microsoft Windows. )

Still, there's no question that even if you look at specific flavors of Windows--say, Windows 2000, or all the various patch levels of Windows XP, there are more computers running those operating systems than there are Macs. So this is why there are more Windows viruses, right? Virus writers want the most bang for their buck, so they only write for the most popular platform, right?

( Uh...actually, no. )

Still, it is not impossible that one day, a clever programmer will find a flaw in OS X which actually does permit an easy remote arbitrary code execution exploit, and the first OS X virus will be born. So even though the current total number of OS X viruses is exactly, precisely zero, it's still a good idea to run a program like Norton Antivirus on your Mac as a protection against that day, right?

( Actually, no. As it stands right now, running Norton Antivirus on a Mac is a really, really stupid idea. )

Whew. Wasn't that fun?

[EDIT] This particular post has generated a very large amount of email, and apparently is being read by a large number of people infected with VX2. As a result, I've edited it, to clean up typos and to add additional information about the exploits used, the way VX2 works, and the sources of the spyware scourge. New information is identified with [EDIT].

If you're reading this post and you're on a Windows computer, the odds are overwhelming--between 80% and 90%--that you are infected with at least one virus or spyware program, and the odds are very high that you're infected with dozens or hundreds.

Yes, you. Even if you are technically literate, you have a firewall, and you never download suspicious attachments, you are almost certainly infected. There is lots and lots and lots of money in computer viruses and spyware, especially the variety that makes popup ads appear on your machine. The question I've always had, though, is who's making all this money by infecting your computer?

A couple nights ago, Shelly's computer became infected. Shelly's technically savvy, the apartment we live in is on a closed private network with a hardware firewall between us and the Internet, and she also runs a software firewall on her computer, and she still became infected nonetheless.

I spent about six hours removing the infection, and also tracking down the source of the infection, and painstakingly backtracking all the popup ads that the adware displayed on her computer. My goal: Follow the money. Discover where the infection came from, and who was making money from it. The results were, to say the least, interesting.

If you don't care about stuff like this, you can skip the rest of this message. If you're curious about the mechanisms by which spyware and viruses work, who is responsible for them, why they're so common, how they spread, and most important, who makes money by creating and releasing them: ( read on! )

So. I went to a client's site this afternoon to set up several brand-new Power Mac G5 systems. Apple Cinema Displays, Adobe Creative Suite Professional, Quark 6, the works. Beautiful systems; I wish I had one.

And then the client asked me to look at his Windows XP laptop, because it's been "acting funny."

He has broadband at his house. He's never run Windows Update.

It's after 9:00 at night and I'm still here. Why am I still here? 1,524 copies of the W32/Bagle.z virus and counting. Plus about 6,000,000 Windows security updates that need to be installed. And did you know that Bagle blocks Windows Update from doing its job? Isn't that lovely?

If you are reading this on a Windows computer, and you have never run Windows Update on your computer, you are infected with a virus. Or more likely, thousands of viruses. Yes, I mean YOU. Right now, the average life expectancy of an unpatched Windows box connected to the Internet is less than twenty minutes.

I could be at game night right now. I could be hanging out with cool people and playing Are You a Werewolf? But no.

The first-ever cell phone virus has been reported by antivirus research firm Kaspersky Labs.

It's still quite primitive, infects only Symbian phones, carries no payload, and spreads via Bluetooth. As such, it's a proof-of-concept, not a dangerous virus. Unquestionably, however, cell-phone viruses have been demonstrated to be technically possible and feasible...pretty scary, when you consider that Microsoft, makers of notoriously insecure operating systems and Web server software (IIS is so well-known for its security holes that a lot of people call it "Inherently insecure Server") is getting into the cell-phone operating system business.