Month: June 2015

The great ask.com debate

Warning: This article in no way was meant as a form of flame, I just wanted to clarify what seems to be going on in the Mauritian blogosphere, I usually do not do that as I have better things to do. Also, if someone is telling you that this article is crap, please ensure that the person saying so, does know how to code properly and can read a stack trace or debug a live application.

Quick solution to remove it (if you want): Install MalwareBytes and do a Scan.

Lately among the Mauritians, there seems to be a wild confusion going on about ask.com’s toolbar and other related apps. Most probably fuelled by logan’s article showing a higher than expected network traffic from Mauritius to ask.com.  Following which Ish decided to write an article claiming that ask.com’s toolbar isn’t malicious, though the article.

http://logan.hackers.mu/2015/06/top-websites-visited-by-Mauritius-and-the-compromised-cyberisland
http://logan.hackers.mu/2015/06/top-websites-visited-by-Mauritius-and-the-compromised-cyberisland

So it seems a lot of people are absolutely confused about which is which?

From logan’s article one can deduce that there is a higher traffic to ask.com than normal, well, I guess you will all agree with me (except if i have hurt your ego in the past with my sheer arrogance or told you in the face that you are stupid), that the average Mauritian computer users are not really interested in ask.com or toolbar, most of them do not have a clue what this is!

 

To those who wants stats on this, I would advise you to get a log of requests going to ask.com, trace it back to the users of these machines, and just check out with an nmap what these users are running, you may even want to go to people’s machine and have a look inside, a lot of people also do complain that their “google” doesn’t sound like “google”.

 

 

Now we shouldn’t forget the number of people online also who are definitely not happy about having ask.com’s toolbar on their machine, and the number of articles that have been written claiming that ask.com’s toolbar’s activity is similar to a malware. Even on wikipedia there is an entry about ask.com’s dubious application.

e.g:

https://en.wikipedia.org/wiki/Ask.com
https://en.wikipedia.org/wiki/Ask.com

There’s an entry even on howtogeek

http://www.howtogeek.com/138516/the-shameful-saga-of-uninstalling-the-terrible-ask-toolbar/
http://www.howtogeek.com/138516/the-shameful-saga-of-uninstalling-the-terrible-ask-toolbar/

 

 

Even Microsoft decided that the previous versions of ask.com’s toolbar was malware! See this pcworld article,

pcworld

 

 

Now, let’s stop at the search article and post it here, instead let’s get down and dirty with some facts,  when we see the analysis done by Ish, which is not so bad considering he did do the effort of checking the current binary on virustotal, but it seems there’s a big item that is missing,

He analysed the wrong file!

 

When we are talking about the Alexa’s webstats, those thousands of Mauritians who are already “infected” by this unwanted application, they have already been infected by the previous versions of ask.com’s toolbar! So analysing a latest release that have been whitelisted to claim that it is fine is simply trying to turn a blind eye to the problem! Because the big elephant in the room is still, “Those thousands of Mauritians doing requests to ask.com most probably never wanted ask.com on their machine

Just use some common sense here, Do you truly want ask.com’s toolbar in your browser?

Again, there might be legit cases where someone would want ask.com’s toolbar on their machine, but the fact is that most people don’t care and don’t know! They just complain their internet is acting weird!

The fishy details?

Well ish posted a virustotal link, notice that in virus total itself, the behavioural information state that there is a read performed in autoexec.bat and it can do calls to DeviceIOcontrol.
This means:
—The autoexec.bat file usually contains contents you want to start up when your system starts up.

—Microsoft’s DeviceIOControl is defined as “Sends a control code directly to a specified device driver, causing the corresponding device to perform the corresponding operation”.

I haven’t mentioned the various files that this toolbar drops in your system also.

Method of proceeding

This ask.com’s toolbar used/in some cases still does add itself as a default option in some installations and install itself usually without your consent (atleast you are given the option to not install it, but the general users will not see it, as most people tend to do next next next :p).

So what do we know yet?

— For a certainty this toolbar is (the previous version and the new ones) reads information that a toolbar generally shouldn’t be reading.

— For certainty we know most Mauritians did not install this because they wanted it! (By logical inference)

— For certainty, we know that it routes users searches to ask.com, those non suspecting users are unknowingly sending their search terms to ask.com without having been asked clearly that its going to do that (notice clearly is something when it comes to the casual computer user, clearly means a very clear explanation when it comes to a simple non frequent computer user.).

— It has the ability to talk to devices, why does a toolbar even need this???

Conclusion?
It so far has not been doing a Virus like activity on people’s Machine, but it definitely do a lot of UNWANTED activities on users’ machine. But it has been acting a lot like a spyware (all versions) and a malware (most previous versions).

It has been carefully crafted to act in that shady grey area, and after its recent classification as malware by microsoft, it did change its ways to become a bit cleaner. There are enough information online!

My views about this?
Personally, I wouldn’t want this to be on my machine, If you are into computer security and you tell me that ask.com toolbar [old and new] is a good thing to have on your machine, Then I understand from this that you understand the implications behind, and what ask.com’s toolbar is actually doing in the background.

Who am I?

Am Selven, an ordinary guy with some common sense who did work with a few security companies in the past.
I’ve been studying viruses since around 1999, because its a fun thing to do!

Note that I don’t have comments on for now, because I don’t really care about your opinions, am just posting facts, with links you can verify, if you don’t believe this post, I don’t really care, it is after all your machine, you are free to do whatever you want with it, I don’t want to mingle with pertinently stupid questions when you have all the informations here to go and look it up.

Final note: In no way am saying Ish’s analysis is wrong, I just mean, he analysed the wrong file when Alexia clearly shows this network traffic to ask.com has been going on for some years now. Am also telling users to please always verify informations whenever they read something online.

So after all this written down, I ask you directly (and i don’t want to know the answer, keep it in your head),

Do you really want to have an ask.com toolbar installed, reading files and talking to devices on your machines without your consent?

Its up to you, though, if you do that, either you have a very good reason behind, or you really don’t care about privacy or security.

Update: I might enable comments later on, someone mentioned that this could be fun 😀
Update2: Yasir, thx for typo correction
update 3: Some people seems to want confirmation that Microsoft did indeed block the previous versions. As to why the page was removed, 🙂 is a great question i’d like to know also. But hey, this not for this debate, this is something else.

askdotcomshot

askdotcom2askdotcom3askdotcom4askdotcom5askdotcom6further read: http://blogs.technet.com/b/mmpc/archive/2014/12/11/a-timeline-of-consent-and-control.aspx

New facebook infection trending?

Hi all it seems a lot of you have started to get infected on facebook, infected people starts by sending people on their friendlist a link on which there’s a nice pic of a video with a lady with a cute cleavage, see image:

Screenshot from 2015-06-24 17:05:36
nice cleavage by the way 😀

 

When you click on the link, you shall get an “update” being downloado n your machine, dependingo n your browser, it will be e.g Google Update 4.exe which gets downloaded and tries to infect your machine, Ofcourse, for the Gods like me such method of trying to infect me is futile and makes me laugh, but hey, a lot of you seems to be infected with that, here for example, my friend kenny  got infected:

kenny

 

This file being downloaded is detected by some Antiviruses but goes undetected by others, e.g AVG, Fprot, Microsoft, Sophos etc do not detect it.

 

writes to these files:
C:\7b6e9c8188250160728283990137717993165dc1ac395ba22e42acc516fd4739
C:\WINDOWS\system32.exe
C:\Documents and Settings\<USER>\Start Menu\Programs\Startup\Service Manager.exe

This little piece of shit is pretty wise, it tries to see if you are debugging it, if you are it tries to bring you to another routing, it uses DeviceIoControl to talk to device drivers (reminds me of the ask.com installer which shows simillar abilities)

It then harvest various informations via these:

  • http://whos.amung.us/swidget/nexusexem
  • http://us1.science/read/ini.php
  • http://us1.science/read/conf.php

So if you were a really horrible hax0r who wanted to be leet, you would deface that box :D.

Note, a interesting thing to do would be to run this on a vm, then wireshark/tcpdump GETs that are sent to those links 😀 .. would be a good starting point to start giving whoever wrote this application wrong result, a bit like hacking the hacker :p. Though in no way this guy is a hacker 😀
Yes you can get more when digging into that, e.g have a look at https://m2-crush.com/234g/ca.php and https://us1.science/ALL.js

 

Ohh well there’s lots of interesting stuffs on that server, boring hax0r, but i need to pee, can’t hold for long, gtg!

 

 

 

Oh yes, I almost forgot, how to clean up?

you can allways do a housecall: http://housecall.antivirus.com, run the online virus scan from there.

Wrote this pretty quickly, didn’t have time to check my english.

Sincerely,

The Eldergod!

Implications of Free Facebook in Mauritius

freefb

I usually wouldn’t be posting such stuffs, but I just wanted to be spoil the party. 😀 For fun.

Apparently, orange is going to give out free Facebook access to its subscribers from June the 1st.

The rules are apparently:

  • Uploading pictures will costs.
  • Accessing it via mobile is free, I suppose its m.facebook.com.
  • Minimum amount of credit should on phone [Rs.6 i heard, am not sure].

 

So, technically, orange is saying, they are offering, a free route to send traffic from Mauritius to Out in the big internet for free?

 

Questions:

  • How do they know it is pictures that you are uploading? If it is by data size, then sending your picture into multiple chunks and getting it rebuilt and reposted somewhere is valid?
  • One can mimic an exact fb conversation if they use wireshark, so why can’t they send anything by mimicking it?

 

Crazy scenario:

  • Suppose I have two facebook accounts; I have one account on a local machine in Mauritius, one in England.
  • On the local machine, I add a layer that encodes ssh traffic into facebook messages, mimicking a message, which i send to the other second account in England.
  • Then in England, my second account which is running on a BSD machine, I parse out the facebook messages received, it would be ssh packets when decoded obviously, then pass this on to the ssh server there.

 

Crazier implications:

  • That would mean i could transfer any data from Mauritius to England, for free, when truly it isn’t something free.
  • It will probably be a very latent connection, but it will work but be slow and might experience timeouts.

 

Does this means that they gave us free internet without knowing it?

How do they differentiate between legit packets and non legit ones?

Infact, a less secure alternative would be to just skip off the ssh and do direct translation

 

So many questions :).

+$3|v3n

 

Delete files less than XMB

Hi, thought this might come in handy to people,  kind of got a situation where i had lots of rubbish <30M files that i needed to wipe out, did it like this:

find ./ -type f -size -30M -exec rm -f {} +

 

ofcourse there are several ways to do this, this is just one way :p.

Remember to be careful with that, its rm -f after all.

 

Screenshot from 2015-06-01 18:14:58