MoMusings

Seems that the hoaxers are out in force since the dreadful attacks on the 7th July, and the subsequent ‘failed’ attacks on the 21st July in London.

Here’s another one that they have started in the last few days:

Important Number you should note
25/Jul/05 09:24

If you travel to work on the tube please note the following information:
If your mobile phone has no signal (so even if you were in a tunnel) if you dial 112 it diverts to a satellite signal and puts you through to the 999 call centre.

ALL phone companies have signed up and as it is a satellite service it also gives them a trace to you if you don’t know where you are.

Why is this a hoax?

1. 112 is the emergency number for mainland Europe, not the UK.
2. Current non-satellite phones can’t use satellite technology.
3. Even if you have a satellite phone, you can’t use it underground as it requires ‘line-of-sight’ to work.
4. If you have no signal, you can’t make a call on the phone.

Spokepersons from both Orange and Vodafone state “that if you do not have a signal on your mobile, wherever you are, you simply cannot make a call.”

Comments from a London Transport spokesperson on this hoax:

“This e-mail is incorrect. The 112 number does link people through to 999, but it only works if you have a signal on your mobile phone. If you have no signal bars on your phone, it will not work, It will not divert to a satellite signal.”

They went on to state:

“Even with a satellite mobile phone (which very few people have), you would need to have a clear line-of-sight to the satellite. You would have to be outside, not in a building or a tube tunnel.”

Links:
BBC Article
Transport for London Statement
Urbanlegends page on this hoax

Just in case you are still tempted to use the unsubscribe link offered in most SPAM….

This just posted on the Kaspersky Lab - Analyst’s Diary:

“Today I ran across an interesting piece of spam. The ending contained an offer to unsubscribe by clicking “here”. Naturally, I clicked and landed on a web page (HTML) that supposedly checked my name against a database[*]. The page then showed me the following message: “your address has been removed from the mailing list”.

Sounds reasonable, doesn’t it? But … the end of the HTML file contains Exploit.HTML.Mht which uses the MHTML URL Processing Vulnerability to download malware: in my case it was Trojan-Dropper.Win32.Small.gr and Trojan-Spy.Win32.Banker.s.

Good reminder - never, ever unsubscribe from spam. At best you let the spammer know your address is live, and at worst you end up with an infected computer.”

I covered SPAM a while ago and made it clear that using unsubscribe links offered may ‘increase’ the amount of SPAM you get. Instead of removing you from their SPAM list you are in many cases proving you exist and acrually read their SPAM and are therefore a more valuable spam target. Furthermore your details will almost be certainly sold on to other spammers.

Many unsubscribe links end up on pages with scripting languages such as PHP, VbScript and JavaScript or other CGI scripts. These can carry out all sorts of tasks, including running malicious code to infect your computer. As mentioned above these pages may actually contain malicious content in their content or exploit vulnerabilities in your browser, to download malware, spyware or adware on to your PC. You have been warned.

And before anyone mentions the CAN-SPAM act [again ]…….

Sorry, but the CAN-SPAM act is a joke, it doesn’t work and is only enforceable in the US; over 40% of SPAM originates outside the US. Also, most spam [70% World-wide] is now sent through botnets, so the spammer [be they US based or not] doesn’t care about the legal ramifications as they are already breaking the law.

In reality since the CAN-SPAM act was passed SPAM levels from the US actually went up!

[*] Please don’t try this at home, Aleks is a virus researcher for Kaspersky and he almost certainly wasn’t trying to really unsubscribe but to actually see what happened when he tried to. Furthermore this was almost certainly attempted with a dummy account rather than his ‘real’ e-mail address.

I recently blogged about an interesting idea from Bob Brotchie of the East Anglian Ambulance Trust in the UK. I mentioned that I thought it was a ‘good’ idea although it had a few shortcomings.

Well, as usual the hoaxers couldn’t resist and had to spoil the party by creating and distributing an e-mail that claimed that a ‘virus’ had been written to take advantage of the ICE entries in your phone.

Here are the two current versions of the ICE hoax e-mails:


The original:

Be very careful with this one [ICE]. Although the intention is great, it is unfortunately Phase One of a phone based virus that is laying a path for propagating very quickly. Passing it on is part of the virus. Interestingly, such is the deviousness of the people who write these things.
We have already seen the ‘Second Phase’ where a program is sent as part of a ringtone download that goes into your addressbook and looks for something it recognises. You’ve guessed it, an address book entry marked “ICE or I.C.E.” or whatever. It then sends itself to the ‘ICE list’, charging you for the privilege.

The other variant:

Latest Mobile Phone Scam I have just received information that there is a new mobile phone scam concerning Pay as You Go (PAYG) Mobiles.
The scam is that you are asked to set up an “In Case of Emergency (ICE) Account” on your PAYG mobile.
Apparently this is a modular system that searches for the word ICE text and then changes your phones setting and takes any PAYG credit left on your phone.
Please ensure that this information is circulated to all staff and please pass on to family and friends

East Anglian Ambulance Service have confirmed that rumours of ‘ICE’ being a virus are a hoax. There currently is no such virus.

F-Secure had this to say about the hoaxes claims about ICE: “However, now some brain-dead pranksters have started a chain-letter email warning against such practice, because a mobile phone virus might exploit it. This is nonsense. No viruses to exploit the “ICE” number exist or are likely to exist. There are viruses already that go through the full phone book and attack every number.”

A quick search of my blog entries will turn up a number of posts on malware that can [and does] infect smart phones but none are ICE specific.

Links:
Information about the ‘real’ ICE campaign can be found at www.icecontact.com
Original press release about ICE - http://www.eastanglianambulance.com/content/news/newsdetail.asp?newsID=646104183

Some people just have far too much time on their hands and the morals and sensitivity of an amoeba….

Seems like a new London Bombing Alert e-mail is filling up inboxes around the World claiming that The Metropolitan Police have warned of an imminent attack on the underground system.

Here’s the text from the e-mail that will probably appear in an e-mail inbox near you soon!

FW: IMPORTANT INFO REGARDING LONDON UNDERGROUND - STATEMENT BEING ISSUED FROM MET

The Metropolitan Police will be strongly advising everyone that the they will be putting officers on tube stations 24/7 for the next week as they highly expect another attack within this time.

The police force have been in meetings all morning and will be publicly confirming this later on this evening. They will be advising the public to avoid the tube at all costs for the time being.

This news will filter through to the media in the next few hours and if it is not in the Evening Standard it will be on the 24 hour news channels.

Please take care on your journeys home, please pass this on to as many people as you know who use the Underground.

Piccadilly Circus & Leicester Square were closed for 3 hours earlier today and the bomb squad carried out a minor controlled explosion around the station area - this is going on all over Central London.

PLEASE BE CAREFUL TRAVELLING

As with all e-mail hoaxes it doesn’t have a timeframe when this attack is supposed to happen, this is so that is can be spread for months, if not years without having to be re-written by the scum that created it. All they want is for people to fall for it so that they can laugh at how naive and stupid they are for believing it.

By all means be alert and take care but don’t fall for the this sort of hoax, only accept such data from a trusted, reliable and accurate source.

Links:
http://www.snopes.com/rumors/tube.asp [Snopes De-bunk of this Hoax]
http://www.met.police.uk/news/terrorist_attacks/ [Metropolitan Police Page]

Bob Brotchie, 41 a clinical team leader for the East Anglian Ambulance NHS Trust, from Cambridge [UK] with over 13 years of experience as a paramedic has come up with a novel way of storing ‘emergency contact details’ on a mobile phone which he is proposing be adopted as a standard. He has started a nationwide campaign along with Falklands war hero Simon Weston in association with Vodafone’s annual Life Savers Awards.

He said he had been thinking about this problem [Emergency Contact Details] for some time before he hit on a possible solution. He said: “I was reflecting on some of the calls I’ve attended at the roadside where I had to look through the mobile phone contacts struggling for information on a shocked or injured person.”

So, What is ICE and how does is work?

By entering the acronym ICE - for In Case of Emergency into the phone book of your mobile phone, you can log the name and number of someone who should be contacted in an emergency, such as if you have been in an accident or you have collapsed, etc..

If you have multiple people that should be contacted then they can be entered as ICE1, ICE2, ICE3, etc.

Part of the problem with using a victims mobile phone is knowing who to contact:

“It’s difficult to know who to call. Someone might have “mum” in their phone book but that doesn’t mean they’d want them contacted in an emergency. Almost everyone carries a mobile phone now, and with ICE we’d know immediately who to contact and what number to ring. The person may even know of their medical history.”

The idea follows research carried out by Vodafone that shows more than 75 per cent of people carry no details of who they would like telephoned following a serious accident.

Why am I covering this?
Well, e-mails have been flooding across the internet about ‘ICE’, so much so that some started to treat it as some sort of chain e-mail. Even ‘snopes.com‘; which covers and often debunks such chain e-mails, hoaxes, scams, urban legends and their ilk have put up a page about it. Here’s the e-mail text that has been seen in millions of e-mails boxes so far:

East Anglian Ambulance Service have launched a national “In case of Emergency ( ICE )” campaign with the support of Falklands war hero Simon Weston and in association with Vodafone’s annual life savers award. The idea is that you store the word ” I C E ” in your mobile phone address book, and against it enter the number of the person you would want to be contacted “In Case of Emergency”. In an emergency situation ambulance and hospital staff will then be able to quickly find out who your next of kin are and be able to contact them. It’s so simple that everyone can do it. Please do. Please will you also forward this to everybody in your address book, it won’t take too many ‘forwards’ before everybody will know about this. It really could save your life. For more than one contact name ICE1, ICE2, ICE3 etc

The ‘forward this to everybody in your address book’ quote is typical of many scams, hoaxes and chain e-mails.

Do I think it is a good idea? Hell, yes…..however I do have some issues with it, as well as some suggestions to solve them:

Problems:

• Many of us secure our mobile, so that a PIN needs to be entered to unlock it. This will not enable ICE to be used.
• Mobiles may not be on our person or in our bags in an accident or may be damaged or destroyed, so this could also cause problems.

Solutions:

• Instead of relying on technology, place the ICE information on a piece of paper or thin card and place it in your wallet or purse instead.
• Just like your mother always said “let me know where you are going, and phone me when you get there”, let someone know if you are travelling and give them your planned route or travel details.

So although I think it is a good idea and have suggested some solutions to some of the issues I’ve spotted, do YOU think it is a good idea and will you use ICE from now on?

Links:
http://www.eastanglianambulance.com/content/news/newsdetail.asp?newsID=646104183
http://www.snopes.com/crime/prevent/icephone.asp

SPAM, we all hate it right? Offers of pills to make parts of your anatomy bigger, make you perform longer, keep you up, budget software [usually stolen], access to certain types of web sites [Adult], mortgage offers, cheap holidays and/or flights, cable, dsl, web space….the list is almost endless!…SPAM, SPAM, SPAM, SPAM…..

What is SPAM and how did it get used as a term for certain classes of e-mail? All is revealed below:

SPAM definition:

1. A meat product sold in tins (Spiced Pork And Ham, like luncheon meat).
2. Slang for Unsolicited Commercial E-mail aka UCE

Use of the term “spam” was adopted as a result of the Monty Python sketch in which the SPAM meat product was featured. In the Monty Python sketch, a group of Vikings sing a chorus of “spam, spam, spam” in an increasing crescendo, drowning out other conversation. Hence, the analogy applied because UCE was drowning out normal discourse on the Internet.

One of the increasingly common uses of botnets [networks of compromised computers] are as conduits to push SPAM through. This way the originator of the SPAM appears to be the system under control of the bot-herder [the controller of the botnet which tells the compromised computers what tasks to carry out], not the real sender which is either the bot-herder or those that have rented the use of the botnet, or have stumbled upon the installed proxy server function of the bot [backdoor aka remote access trojan].

So, now you know

I know that some of you out there actually buy things advertised in SPAM e-mails. How, do I know that ? See this article and the cutting from it below:

More than 10 per cent of email users buy goods advertised in spam messages, according to a survey from Radicati Group.
This is despite many of these attempted purchases failing to materialise. Another nine per cent said they had lost money due to email scams advertised in spam emails.

The study was commissioned by anti-spam vendor Mirapoint and surveyed about 800 email users.

An additional 39 per cent admitted to reading the messages and clicking on links embedded in the emails.

This is a well documented method for spammers to detect whether an email address is being used. Some 57 per cent of the latter group reported that they started receiving more spam as a result of clicking on the links.

Anti-SPAM Tips:

• Never buy anything from a SPAM e-mail, it will only make the problem worse.
• Never use the unsubscribe links offered in the e-mail, as all you are doing in most cases is proving that the e-mail address is valid and you will get even MORE SPAM.
• Use anti-SPAM filtering tools, such as Bayesian Filtering [built-in to Thunderbird], keyword or black-lists to automatically tag, filter and even kill SPAM e-mails sent to you.
• Use disposable e-mail addresses, such as Yahoo, Hotmail, Lycos, etc. when posting to newsgroups. Never use your personal e-mail address as you will start getting spam within hours of it appearing. Newsgroups and websites are ’spidered’ [searched] for e-mail addresses which are then added to the spammers lists.

Anti-SPAM Tools:

• Thunderbird - E-mail/News client with Bayesian Filtering. [Platform independent]
• POPFile - Bayesian Filtering program, can be used with most e-mail programs. [Platform independent]
• SpamPal - Anti-SPAM product which can be used with most e-mail programs. [windows only]

There are many others.

OK, own up how many of you out there are in the ‘more than 10 percent‘ that actually buy things advertised in SPAM, and what are you buying? Enquiring minds want to know!

Links:
1. Home page http://www.spam.com
2. Sketch script can be found here http://w3.informatik.gu.se/~dixi/spam.htm

This just in from Radio Australia:

The Australian Red Cross is moving to thwart a bogus online fund-raising appeal for victims of the London bombings.
It has been alerted to emails in Australia purporting to be from the British Red Cross, seeking donations for the London Mayor’s Relief Fund.
The Chief Executive of the Australian Red Cross, Robert Tickner, says they have no agreement in place with either organisation in regards to the London bombings.

“At this stage it’s fairly small, but we want to nip this right in the bud before it goes any further, because it is a hoax, it’s a scam,” he said.
“People [are] trying to commit a fraud here and it must be stopped.”

The very sketchy details which are currently in the public domain do not make it clear if the e-mail is a reworked 419 [Advanced Fee Fraud] scam, similar to the ones we saw [and I blogged about] back in December 2004 after the Asian Tsunami, or whether it is a Phishing scam.

There is a real ‘London Bombings Relief Charitable Fund’ which has been setup by the London Mayor and it can be found on the ‘real’ Red Cross site here.

I’ll update this blog entry when more data becomes available….

Links:
The Bristish Red Cross
The Australian Red Cross They have a warning about the scam on their site.

Oh dear, the scumware authors are once more showing how low they are prepared to go to infect the computers of the unsuspecting and curious, or the downright ghoulish.

This just in, a new trojan has been found which is being e-mailed out; according to MessageLabs, the e-mail containing the trojan is not yet widespread, however as it is the start of the weekend don’t expect it to stay that way for long. This trojan was being e-mailed out just hours after the attacks in London.

The details I have so far are:

Sample e-mail:

From: breakingnews@cnnonline.com
Subject: TERROR HITS LONDON
Filename:LondonTerrorMovie.zip

This [zip file] contains a file called ‘London Terror Moovie.avi <124 spaces> Checked By Norton Antivirus.exe’

As you can see the from address line is forged. The <124 spaces> is 124 space charcters, so that you won’t notice the .EXE extension and believe that the file in the zip attachment is an AVI [movie] file. The checked by Norton Antivirus.exe is there to try and convince you that the file has been scanned and is safe, when in reality it is just a way to hide th fact that the file is an executable. The executable in the zip is packed using UPX, a common sign of a ’suspect’ or ‘malicious’ file.

More details:
The e-mail arrives pretending to be a CNN newsletter, see the screenshot below:

If you open the attached zip file and run the file it contains your system will become infected. The trojan creates a file in the %windir% directory [e.g. C:\WINDOWS or C:\WINNT] and adds itslef to the registry to ensure that it gets loaded when the system starts.

Once running the trojan will search for a list of SMTP [mail] servers that your system is configured to use and uses these to send large quantities of SPAM.

At this time none of the 14 virus scanners I have at hand can detect this.

The use of disasters, celebrities and other topical news items as methods to spread malware is nothing new. We have seen a number of similar trojans so far this year, and I’ll be very surprised if we don’t see more ‘London Bombing’ trojans over the next few weeks.

If you needed any more proof that you should avoid the temptation to open unsolicited email attachments, then add this to the existing pile of reasons not to become a ‘click-a-holic’.

Links:
http://www.theregister.co.uk/2005/07/08/london_bombing_spambot/

Following on from my earlier report on the result of the Sasser worm author trial….

This just in from Cnet:

“The Sasser case is the only success so far for Microsoft’s Anti-Virus Reward Program, which was launched in November 2003. The program has offered a total of $1 million to informants who help close official investigations into four major viruses and worms, including Sasser, and has another $4 million earmarked for future rewards.

Microsoft has not disclosed the identity of the informants in the Sasser case, but the software giant said Friday it will pay the reward money to two individuals who helped identify the worm’s author. They will share the $250,000.“

According to various sources Jaschan was ‘fingered’ by a couple of his mates who were after the ‘Microsoft Anti-Virus Reward’ of $250,000 US Dollars.

If you are interested, according to Microsoft’s Web site, rewards of $250,000 can still be collected for information that leads to the arrest and conviction of those responsible for launching the MyDoom.B worm, the Sobig virus and the MSBlast.A [aka Blaster] worm.

Any budding Wyatt Earp wannabes out there

But only gets a suspended sentence of 21 months and ordered to do 30 hours of community service - meaning he will walk free!

Here’s a quote from one of the reports:

“Sven Jaschan, 19, was found guilty of computer sabotage and illegally altering data, said Katharina Kruetzfeld, a spokeswoman for the court in the northwestern town of Verden.“

Jaschan admitted creating the worm at the start of the trial on Tuesday the 5th July.

He was arrested back in May 2004 “sitting at his computer” at his home in the small northern German town of Waffensen after Microsoft received a tip-off from an informant seeking the reward of $250,000 that they were offering for information on those responsible for Sasser.

Sasser exploited a flaw [vulnerability] in the Windows 2000 and Windows XP operating systems. It started to infect systems and spread to other systems which had not been patched on its release date of the 1st of May 2004.

Microsoft had released a patch for this loophole on 13th of April 2004 and an updated patch on the 28 April 2004, however many companies at that time took on average 2-4 months to test new patches before deploying them to fix vulnerable systems.

Windows error messages displayed when a system became infected by Sasser.

According to the news item: “Authorities who questioned Jaschan said they got the impression his motive was to gain fame as a programmer.” He got infamy instead and offered a job at a security software company.

SecurePoint employed Jaschan the [now convicted] creator of a number of Netsky variants [many of which were quite destructive] and Sasser, as a trainee software developer, working on the companies firewall products. Would you buy a firewall from this company, knowing a self-confessed virus author may have had a hand in it?

As I mentioned before in my rant on this very blog back in November last year:

“What sort of message is being given out by the current trend of a small minority of security firms who seem to be going out of their way to actively seek out and employ virus writers and ex-virus writers?“

I think that some elements in society see malware authors as some form of glorified digital freedom fighters, talented programmers or uber geeks….when in reality they are nothing more than criminals and should be treated as such!

This quote from Graham Cluley of Sophos, clearly shows that Jaschan’s creation are a real threat: “Even a year after his arrest, it is more likely that you will be infected by a worm written by Sven Jaschan than any other virus author“.

The sentence he has received is well short of the maximum sentence of five years in jail that a conviction of computer sabotage carries under German law.

What do you think, both on his level of sentencing and his working for a company that makes security software?

Links:
http://news.bbc.co.uk/1/hi/technology/4659329.stm
http://www.sophos.com/virusinfo/articles/sasserfree.html