January 2009 - Posts

IEC Web Site Compromised

Date:01.27.2009

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has discovered that a subdomain of the International Electrotechnical Commission (IEC) Web site has been compromised. The IEC is an international standards organization that prepares and publishes International Standards for all electrical, electronic, and related technologies. Member countries include Japan, Australia, U.S.A., central European countries, and numerous others.
Screenshot of the IEC homepage:

The infected subdomain belongs to the TC26 group. Unprotected users would be subjected to execution of obfuscated Javascript that redirects to an exploit site, hosting exploits for Internet Explorer, QuickTime and AOL SuperBuddy. Successful execution of the exploit code incurs a drive-by download. This installs a backdoor on the compromised machine. Major antivirus vendors are not detecting this payload.
Screenshot of the infected subdomain:

Screenshot of the de-obfuscated code:

Websense® Messaging and Websense Web Security customers are protected against these threats.

Jan27

Just Got Unlucky: Part 3

by Argie Gallego (Anti-spam Research Engineer)

Parts 1 and 2 happened in succession in November two years ago: the open redirection services of Google and AOL were used by spammers to trick unknowing email recipients into clicking links which led them to different websites. This sequel’s celebrity is Yahoo!:


Figures 1 & 2. Sample spam.

The above sample spammed messages contain links with the string search.yahoo.com, which may convince users to think the site is legitimate or trusted. They are led to sites (an example is shown below) which, true enough, sell replica watches and other cheap products.


Figure 3. This website offers cheap replica watches.

These sites have been created just this month, and they share a single IP address. Similar to the old Google and AOL incidents, spammers took advantage of open redirection functionalities, which is used by search engines to redirect users to target websites automatically. Users need to just enter a URL or string that is predictably related, even if not exactly, to the site they are looking for and they are immediately led to it without having to see a results page.

The links given in the email messages in this attack look like Yahoo! itself yielded the results, but spammers were able to fiddle through search results and obfuscate the URLs to add credibility to the sites they are advertising.

Given the two-year time difference between the earlier two spamming operations and this current one, it seems clear that this technique still works for spammers. Other than adding site credibility, spammed messages are also able to evade filters because the links inside them appear legitimate. This kind of search engine exploitation is considered to be blackhat SEO (Search Engine Optimization) practice.

The timing of this run may also be related to the upcoming Valentine’s Day as more users are expected to purchase presents online. The malware family WALEDAC was first to take advantage of this said event, sending fake ecards that led to malware.

The Trend Micro Smart Protection Network already blocks these spammed messages.

Tuesday, January 27, 2009

Embassy of India in Spain Serving Malware

The very latest addition to the "embassies serving malware" series is the Indian Embassy in Spain/Embajada de la India en España (embajadaindia.com) which is currently iFrame-ED -- original infection seems to have taken place two weeks ago -- with three well known malicious domains.

Interestingly, the malicious attackers centralized the campaign by parking the three iFrames at the same IP, and since no efforts are put into diversifying the hosting locations, two of them have already been suspended. Let's dissect the third, and the only currently active one. iFrames embedded at the embassy's site:
msn-analytics .net/count.php?o=2
pinoc .org/count.php?o=2
wsxhost .net/count.php?o=2

wsxhost .net/count.php?o=2 (202.73.57.6) redirects to 202.73.57.6 /mito/?t=2 and then to 202.73.57.6 /mito/?h=2e where the binary is served, a compete analysis of which has already been published. The rest of the malicious domains -- registered to palfreycrossvw@gmail.com -- parked at mito's IP appear to have been participating in iFrame campaigns since August, 2008 :

google-analyze .cn
yahoo-analytics .net
google-analyze .org
qwehost .com
zxchost .com
odile-marco .com
edcomparison .com
fuadrenal .com
rx-white .com


As always, the embassy is iFramed "in between" the rest of the remotely injectable sites part of their campaigns. 

Related assessments of embassies serving malware:
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware

Mac Trojans Follow Successful Windows Path

Monday January 26, 2009 at 10:46 am CST
Posted by Pedro Bueno

Trackback

It’s been a week since we’ve seen the new Mac malware, the iWork09 Trojan, which is disguised as pirated software. Since then there have been several reports about new Mac Trojans.

Before this we saw mostly lame malware for Mac OSX, but the iWork09 Trojan represents a new element to Mac Trojans — sophistication. This one contains peer to peer-like characteristics and even encrypts its traffic. It has also been associated with some recent distributed denial-of-service attacks.

One thing to remember when dealing with pirated software is that you might have a high price to pay, in this case ending up a Trojan that turns your computer into a zombie. We have seen this happen for years with Microsoft products and even with AV products. (If you search for “McAfee” on torrents sites, you will find a lot with serial numbers; but you won’t know whether the thing is a Trojan version.) Now this unfortunate trend has arrived on the Mac platform, with several reports of Trojan versions of pirated Mac applications.

Take care — you often get what you pay for. ;)

Abusing Shortcut files

Monday January 26, 2009 at 10:47 am CST
Posted by Shinsuke Honjo

Trackback

Shortcuts, or LNK files, are small binary files which have the path to an applications, sometimes with optional parameters. These files are used for running applications and are placed on folders where they are easy to access by users on such places as Desktops, and Application Launchers. The LNK files are also placed within the Startup folder to run automatically upon system boot. This indirect way of running applications is often attractive to malware authors as shortcuts have not been called out to most user’s attention for the sake of security as much as executable files have. At Avert Labs, we have recently seen some malware abusing shortcut files to launch malicious files/scripts in several different ways. Here, we introduce some methods we have recently seen:

  1. Create shortcut files linking to malware files

    This is an easy way to launch malware by a user’s actions or upon system reboot. These LNK files are created on the desktop, network shares, and even startup folders. One of the many variants of the Spy-Agent.bw trojan are known to take advantage of shortcuts to run.

  2. Parasitic Infection to shortcuts

    We have seen the W32/Mokaksu virus modify all LNK files on the desktop and add the path of the malware file to the original path.

    The example above is the shortcut to Adobe Acrobat Reader infected with malware. The path to the malicious “Config.Msi.exe” (in the red box) is added before the original path “AcroRd32.exe” (in the yellow box). In the shortcut, the original path is treated as a parameter to the malware file. Upon clicking on the shortcut, the W32/Mokaksu malware runs as well as executing the original file, all while running in the background. Ultimately users only see the application which was associated with the shortcut launch, thereby making it much harder for users to notice the infection.

  3. Scripts in the shortcuts

    Shortcuts can often contain scripts for “cmd.exe” instead of linking to executable trojan files. The Downloader-BMF trojan is such a case.

    When users click on these LNK files, the scripts silently creates and drops ftp scripts to then download vbs scripts from the ftp severs. The downloaded vbs scripts are then responsible for downloading trojan files.

In the first 2 cases, shortcuts are just ways of launching malware whereas in the last case, these LNK files are standalone malicious files in which no other malicious executable files are needed but a legit “cmd.exe”. This type of LNK files can be attached to emails or hosted on the web sites. This implies that we need to be more careful with LNK files. Users can easily check shortcuts by browsing the file property or viewing the file with a binary editor.

If you find suspicious strings, please do not run the files but rather send the files to Avert for further research.

********************************************************************

Title: Microsoft Security Bulletin Major Revisions

Issued: January 28, 2009

********************************************************************

Summary

=======

The following bulletins have undergone a major revision increment.

Please see the appropriate bulletin for more details.

* MS08-074 - Critical

Bulletin Information:

=====================

* MS08-074 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-074.mspx

- Reason for Revision: V2.0 (January 28, 2009): Added a footnote to the Affected Software table and two entries to the section, Frequently Asked Questions (FAQ) Related to this Security Update, pertaining to security updates KB958437 and KB958439 for supported versions of Microsoft Office Excel 2007. There

were no changes to the security update binaries or detection.  Customers with Microsoft Office Excel 2007 or Microsoft Office Excel 2007 Service Pack 1 who have already successfully installed KB958437 and KB958439 do not need to reinstall.

- Originally posted: December 9, 2008

- Updated: January 28, 2009

- Bulletin Severity Rating: Critical

- Version: 2.0

Conficker - Re-Booted from Windows Embedded

Published: 2009-01-27,
Last Updated: 2009-01-27 15:49:28 UTC
by Patrick Nolan (Version: 1)

0 comment(s)

Anyone with funny stories about Conficker infected Windows Embedded systems you can share please submit. I'll respond as resources allow. Thanks!

On a hopefully related note, contact your vendor - Windows Embedded January 2009 Security Updates for Runtimes Are Available

So far the site lists these updates, no mention of MS-08-067 yet;

KB 958687 - Vulnerabilities in SMB Could Allow Remote Code Execution. (MS09-001)

KB 952069 - Vulnerabilities in Windows Media Components Could Allow Remote Code Execution. (MS08-076)

Windows Embedded Products

Twam?? Twammers?

Published: 2009-01-25,
Last Updated: 2009-01-25 00:47:17 UTC
by Rick Wanner (Version: 1)

1 comment(s)

It was bound to happen.  The bad guys always have to ruin a good thing.  Of course email, forum and newsgroup Spam has been around for over a decade;  blog providers have had to stage a fight against comment Spam; SMS Spam is becoming more and more of a problem for the cell providers.  Well finally it has happend Spam has come to micro-blogging!

Rich Stiennon over at ThreatChaos.com published a blog post describing his research into Twitter Spam.

In a nutshell he talks about the launch of a new application called TweetTornado.com.  It counts on the fact that most twitter users permit followers to join without permission.  TweetTornado automatically creates a large number of twitter ids, follows a large number of users, then sends unsolicited messages from a text file to those users.

This isn't a big problem yet, but you can bet it will get worse unless Twitter can find a way to stop it before it gets bad. But either way...If you haven't already it is probably time to consider screening who can follow you. To do that set your twitter account to "protect your updates".  This is done through the settings link, on the account tab,

-- Rick Wanner rwanner at isc dot sans dot org

Jan25
by Mary Ermitano (Anti-spam Research Engineer)

“Dating spam” is becoming more rampant recently, which is somewhat expected due to Valentine’s Day being just a couple of weeks away.

But some of this dating spam is quite unique, and has caught our attention, as the spammed message claims to be coming from Trend Micro:

Figure 1. Spammers work their charm to attract dateless users

Figure 2. Trend Micro email addresses used for the From field

The “From” field in the emails were tampered with to be able to evade spam filters. Also, a scheme called dictionary attack is used to send the spam mails:

Figure 3.Random email addresses used in dictionary attack

A Dictionary Attack is a spammer tactic wherein spam is sent to random addresses from a given domain, hoping that some of it will get through. Unknowing users who respond will have their email addresses validated and added to the spammers’ list, thus causing the users to receive more and more spam mails.

However, a quite interesting and comical twist happens in this case. Since the “From” addresses are forged, the spammers themselves aren’t getting the replies or even the bounces to the spammed messages they sent. This attack is apparently just a waste of resources for spammers.

This suits them right for trying to sneak past spam filters through us!

The Trend Micro Smart Protection Network already blocks the spammed messages, and Web users are always reminded to not trust spammed messages no matter what these messages say.

Jan25

Fake Brazilian Job Site Leads to Info-Stealers

by Aivee Cortez (Fraud Analyst)

In this economic crisis, people tend to trust the government for possible employment opportunities. Unfortunately, cyber criminals know this and use these circumstances by attacking job-related government sites.

The Ministerio do Trabalho e Empergo, or the Ministry of Work and Jobs in Brazil is being mimicked by the cybercriminals to distribute malicious files:


Figure 1. Fake Ministry of Work and Job in Brazil website

The link that leads to downloadable link is displayed in left bottom of the site:


Figure 2. Fake Ministry of Work and Job in Brazil website

The downloaded file despacho_artigo987221.scr is detected by the Trend Micro Smart Protection Network as TROJ_BANLOAD.JMO. TROJ_BANLOAD.JMO gathers email addresses from the affected machine by looking through files with the following file extensions:

  • .dbx
  • .eml
  • .mai
  • .mbox
  • .mbx
  • .tbb
  • .wab

The collected email addresses are saved in a text file on the affected system and then sent to a remote “drop box” through FTP. This scheme is possibly an email-harvesting technique, wherein the collected email addresses will be used for future spam runs.

TROJ_BANLOAD.JMO also connects to certain URLs to download malicious files detected as TSPY_BANKER.MOA and TSPY_BANKER.MOB. TSPY_BANKER variants are notorious info-stealers of banking-related information from affected systems.

This attack places Brazilian job hunters at risk of getting their banking information stolen, which would only worsen the affected users’ current situation.

The fake website, as well as malicious files, are now blocked and detected respectively by the Trend Micro Smart Protection Network.

Published: 2009-01-24,
Last Updated: 2009-01-24 19:36:00 UTC
by Pedro Bueno (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5743&rss'; digg_title = 'Identifying and Removing the iWork09 Trojan'; digg_skin='compact'; digg_topic = 'security';

So, there is no malware for Mac! Well, I am sure that we all heard this one time or another…but as you know, this is not true.

The recent iWork09 trojan shows that once more.

Some interesting list of facts about iWork09 and this Trojan:

  •  Apple releases the iWork09 onMacWorld09 on January 6th. (the version requires a serial number)

  • Apple decides that no serial number will be needed for iWork09 anymore, on January 19th
  •  iWork09 trojan was discovered in Jan 21st

So, what would be the logical explanation? Since Apple decided that the serial numbers  will not be needed anymore, there would happen a boost on the illegal torrents,  and the malware writer enjoyed the opportunity to add a backdoor on the package, right?

Wrong!

When I was checking some torrents of the iWok09, I could notice a different timeline…Most of the infected torrents dated approximately of January 7th . Just one day after the iWork09 release, and the malware file also helps this theory:

 

-rwxr-xr-x  1 pedrobueno  staff  413568  7 Jan 22:22 iworkservices

 

As you may know this iWork09 trojan is not like the recent  popupers or other Mac  trojans, but a quite well developed piece of malware, that uses among other things a p2p-like network style and an encrypted communication channel.

It is not clear yet the ‘real’ purpose of such advanced Mac malware, but we will probably get more details as time goes by, and I will try to keep you posted.

What follows bellow is a list of command lines that will help you to identify and later remove the malware from your computer.

  • Identify if the Trojan is using the network

sudo lsof -i -P|grep -i tcp|grep -i iworkserv

The output of this command will likely be something like:

iworkserv 5326     pedrobueno    9u  IPv4 0x7170270      0t0    TCP *:<port>

 

  • Identify if the Trojan is present on the harddrive           

sudo find / -iname "iworkservice*" -print           

The output of this command will likely be something like:

.funnystuff/English.lproj/iWorkServices.info

.funnystuff/iworkservices

.funnystuff/iWorkServices.bom

.funnystuff/iWorkServices.pax.gz

.funnystuff/iWorkServices.sizes

 

  • Identify if the Trojan is actually running on your system

     

sudo ps aux |grep -i iworkservice |grep -v "grep"

 

The output will be something like this:

pedrobueno  5326   0.6  0,4   451036  15660 s002  S+    4:49     0:00.62 ./iworkservices

 

Where 5326 is the PID.

 

The removing part can be faster or a more completed way.

The faster way would be just kiiling it using the command line:

  • sudo kill -9 PID, which in this case would be 5326. 

This command will terminate the running process on the machine, but it the file will be there yet.

 

A more complete approach is to also delete the iworkservices files, to prevent it to run again.

To do that simply go to the place where the output of the second command showed and use the following:

 

  • sudo rm –rf iWorkservic*

  • sudo rm –rf iworkservic*

 

ATTENTION. The command rm –rf is a very powerful command on Unix, specially when used with superuser privileges, so use with caution. I am not responsible for the misusage of it.

 

So, my next advice is to restart your machine and check it again. Remember that this malware is a backdoor which have multiple capabilities, and may update itself , making this instructions outdated.

 

So, that said, think about an AV for your Mac.

 

Some iWork references:

McAfee AvetLabs: OSX/IWService - http://vil.mcafeesecurity.com/vil/content/v_153893.htm

Intego security: http://www.intego.com/news/ism0901.asp

F-Secure: http://www.f-secure.com/v-descs/backdoor_osx_iworkserv_a.shtml

------------------------------------------------------------------------------------------------

Handler on Duty: Pedro Bueno ( pbueno && isc. sans. org ) - Written on a Powerbook :)

Downadup: Attempts at Smart Network Scanning

The ability of a threat to widely replicate often depends on its algorithm of finding other computers on the Internet, which are represented by an IP address. Downadup uses a variety of techniques to scan for new machines in order to maximize its infection abilities and at the same time minimize the chance of being noticed on a host.

Brute-force network scanning can cause noticeable slowdowns and network issues on the infected machine. Downadup attempts to limit its impact in two ways. Firstly, the worm contacts two well known websites and calculates the computer’s average bandwidth, then uses this value to configure how many simultaneous remote procedure call (RPC) exploit scans are allowed at one time. Secondly, a pause—between 100 milliseconds and two seconds—is taken after each scan, depending on the type of scan and if the computer is currently being used. (Downadup checks active usage by determining if a keystroke was made in the previous five minutes.)

Downadup attempts four different scans that are repeated in an infinite loop. It scans for machines on the same subnet; machines it has successfully infected previously; machines nearby those already infected; and randomly selected machines.

First, Downadup sequentially scans all the IPs in the same subnet of the infected machine, starting from the first IP in the subnet. This can include multiple subnets for multi-homed machines (machines with more than one IP address). 

Next, Downadup attempts to exploit previously infected machines. This serves two purposes—one, to re-infect machines that may have been cleaned up and two, to initiate the peer-to-peer (P2P) communication channel to receive payload files (as described in the blog article Downadup: Peer-to-Peer Payload Distribution). The worm only remembers the last 100 successfully infected machines.

Then, Downadup begins generating random IP addresses to attack. In addition to what is likely a bug rather than a feature in the random generation routine, certain IP addresses are ruled out, therefore potentially limiting certain networks from being attacked. Downadup is only able to generate approximately a quarter of the four billion possible IP addresses, which limits its ability to reach certain IP addresses via the RPC exploit.

Finally, in parallel, Downadup will also scan machines near other machines that were successfully exploited. For each exploited machine, Downadup scans the class C-sized (/24) block of the IP address and the previous ten class C-sized (/24) blocks. For example, if the successfully exploited machine is 208.77.188.166, Downadup will scan the range 208.77.178.1 to 208.77.188.255.

Further, Downadup doesn’t scan every IP address in the calculated ranges. For example, invalid IP ranges such as 127.x.x.x or 169.254.x.x. are skipped. But more importantly, Downadup carries a large blacklist of IP ranges that belong to security vendors. A snippet of the list is show below.

 

 

By not attempting to exploit security vendors, Downadup potentially avoids honeypot systems. This blacklist is also used to reject back-connect attempts as well, preventing security vendors from contacting infected hosts and gaining payload files.
Downadup will then refresh the list of IP addresses configured on the local machine. If any have changed since any of the related scans started, the scans will be terminated because the exploit is designed to connect back to the previously configured IP address. 

Knowing what IP address to connect back to raises another issue for Downadup. With many home users behind wireless routers, firewalls, and using network address translation (NAT), many infected machines are normally not contactable from external machines. Downadup goes to great lengths to bypass these issues. We’ll investigate these techniques in a future blog article in this W32.Downadup series.

Jan25
by Aivee Cortez (Fraud Analyst)

Trend Micro researchers last week discovered yet another government web compromise — this time using a domain owned by the Republic of Mali government.

The attack strategy here is not even that notable, given that we continue to see websites of all kinds being victimized by cyber criminals for all sorts of malicious means.

The legitimate website, which uses the domain essor.gov.ml normally looks like this:


Figure 1. Legitimate website.

Cyber criminals were able to compromise the Mali website, and by creating an additional HTML page on a subdomain, enabled them to insert the following PayPal phishing page:


Figure 2. Phishing website.

The motivation for cybercriminals to perform this operation appears not really to directly target Mali users and lure them into keying in their credentials on the phishing page. The advantage for the phishers is the free domain — free for them, at least, since the Mali government owns it and pays for it.

The bigger and more important implication that this threat highlights is the continuing problem of goverment-owned pages with regard to security. The threat listed above show the relative ease in which criminals are able to compromise these sites for their own respective gains.

Online security may not be a priority for governments when they set up these pages, but incidents like this, and possible future losses (think medical records and social security records) should be a warning to take Web site security seriously.

Users are warned to be careful of bogus and malicious pages, and to make sure that what’s in the address bar is the right domain name of the site they are accessing. The URL of the Mali website meanwhile is being blocked by Trend Micro Smart Protection Network until it is cleaned.

Jan26

WALEDAC Loves (to Spam) You!

by Florabel Baetiong (Anti-spam Research Engineer)

Holidays and popular annual events as a social engineering tool in spamming is a signature Storm technique. The following spammed email message should then cement WALEDAC’s association with the said bot giant.


Figure 1. Spammed Valentine’s greetings.

These messages flood inboxes weeks before Valentine’s day, also typical of previous Storm spam runs. Clicking on the link redirects a user to a site with a heart images. When this page is clicked, the user is prompted to download a file, malicious of course, detected by Trend Micro as WORM_WALEDAC.AR.


Figures 2 & 3. The link in the email leads to malware.

WORM_WALEDAC.AR propagates by spamming email messages with malicious links where copies of the same worm are downloaded. Like other WALEDAC variants, it compromises the security of infected systems by opening random ports to listen for commands from a remote user.

These other earlier threats by this same malware family exhibit routines and characteristics very similar to Storm:

Beside the social engineering techniques used in email,  following are the similar methods applied by this worm family:

  • Fast-flux networks and several different name servers used per domain
  • Files names ecard.exe and postcard.exe
  • In some instances, the installation of rogue antispyware

The Trend Micro Smart Protection Network blocks the email messages spammed by this worm, and detects the worm itself so it doesn’t run from systems anymore. Users should be careful in clicking links in spammed messages and in downloading files from unknown websites.

Pay to install free software


I was dealing with customer escalations the other day and came across this interesting sample. If you believe the filename install_wrar380.exe it would install WinRar on your system, for some reason I didn’t believe it ;) .

Upon execution, the installer displays a EULA. I have copied and pasted some of the detail below:

“THE COST OF EACH SMS FROM THE USER’S MOBILE PHONE IS TWO POUNDS. UNLESS OTHERWISE SPECIFIED, THE DOWNLOAD COST SHALL BE FOUR SMS.
Please read these USAGE CONDITIONS carefully and, if appropriate, use the download service which shall imply the express and complete acceptance of each and every one of these USAGE CONDITIONS. Otherwise, please close this website.
Netlink Network Corp. offers a PREMIUM high speed download service that is efficient and virus free. In exchange, the user shall first send two SMS under the conditions specified in clause 2.2 that defines the commercial conditions of the service”

These two sections really caught my eye. From what I understood I was going to be charged £8 in the form of 4 SMS text messages so that I can download WinRar. Alarm bells started to ring.

I clicked ‘I agree’ and was prompted for a code. To get this code, I would have to send 2 SMS text messages to 78*** (Number has been blanked out for security reasons) with the text body ‘CD’ and I would be charged £3 for each text message. This was different to what the EULA said, but as it was cheaper I wasn’t going to argue. Also note how the text is almost the same color as the background to make it difficult to see.

WinRar installer

As I was interested to find out if it really would install WinRar, I went to my local mobile phone store and bought a mobile phone, put £10 on it and sent a text message to the number. To my surprise, I received a text back saying:

“SMS 1/3. Price per SMS: 3 Pounds. Total cost: 9 Pounds.”

It now cost me £9 instead of £6 to download some free software. This was also more than the £8 the EULA said it would cost me. I received a further 2 text messages and the final one was labelled 2/3 even though it was the 3rd. I guess they don’t have QA. You can see the text messages I received below:

SMS 1/3

SMS 2/3

SMS 3/3

I entered the code and clicked on the ‘Install’ button. The software downloaded WinRar and went on to install it for me.

WinRar installer with code

I found the website which the sample came from and it displayed the following text at the bottom of the page:

“This website does not belong to any member´s program. This program should be used based on rules of intellectual property. You may obtain this program for free from the official homepage. Using or applying cracks, serials or keygens is strictly forbidden. This portal will not be held accountable for inappropriate use of the program. Your query has been sent succesfully. You will receive an answer shortly. Thank you for using our services. Due to technical issues, your query could not be sent. We apologize for the inconvenience”.

So they admit that you can download this software for free from its official homepage. They are clearly trying to trick the unsuspecting user to pay for free software.

I thought perhaps they have done this with other free software, I did some investigating and found several other websites which are registered to the same company and they offer several other pieces of free software for the small price of £6 or £9 as I found out.

I found installers for Messenger Plus! Live, WinZip, WinAce, 7Zip and several others. All of these can be downloaded for free from their official sites.

Messenger Plus! Live website

The websites are aimed at English, French and Spanish users. Luckily for our European friends, they can pay for the free software in Euro’s.

While navigating these sites, two different company names kept popping up. Netlink Network Corp and Soletto Group, S.A., I did some quick searching but couldn’t find any details on these companies.

Some of the domains had been registered as recently as late last month, so I believe we are likely to see more pop up.

I pulled all the executables I could find on the websites and added detection as SMSFraud.

Please be on the lookout for these in the future as you don’t want to pay for something which is already free.

More Posts Next page »