One Million Calls Placed From Gmail in 24 Hours

If you’re as big as Google, there’s no such thing as a small product launch. So when Google introduced voice calls into its webmail service Gmail, essentially launching a Skype competitor, it was bound to be a popular feature.

How popular, exactly? Well, according to a tweet from Google, the users seem to love it, as more than one million calls were placed in the first 24 hours since the feature went live.

Let’s put that into perspective. Gmail itself is huge, with more than 176 million users (according to comScore) as of December 2009, but voice calling is currently enabled only in the U.S. (*Update: Contrary to Google’s announcement, the feature was also launched in Australia, as well as some other countries,) so it’s reasonable to expect the number of users to grow as the service spreads to more countries.

The key word here, however, is “free”: Calls to the U.S. and Canada are completely free (and will stay so for at least the rest of the year), while calls to other countries are billed at modest rates.

Google has already tried to conquer several markets through Gmail — its instant messaging counterpart is very successful, while Buzz, Google’s competitor to Twitter, was much less so. Voice calls seem like a natural addition to Gmail, and if this first figure is any indication, Skype will soon have a very formidable competitor.

This could save your LIFE!

The following internet advice which may have a subject title such as above could just get you killed.

Like any other middle aged, balding, over-weight chap my mother still worries about me. So when her friend sent this to her and many other people, she forwarded it to me first:-

---

Just in case!!!

Let’s say it’s 6.15pm and you’re going home (alone of course), after an unusually hard day on the job.

You’re really tired, upset and frustrated.

Suddenly you start experiencing severe pain in your chest that starts to drag out into your arm and up into your jaw. You are only about five miles from the hospital nearest your home. Unfortunately you don’t know if you’ll be able to make it that far. You have been trained in CPR, but the guy that taught the course did not tell you how to perform it on yourself.

HOW TO SURVIVE A HEART ATTACK WHEN ALONE

Since many people are alone when they suffer a heart attack, without help, the person whose heart is beating improperly and who begins to feel faint, has only about 10 seconds left before losing consciousness.

However, these victims can help themselves by coughing repeatedly and very vigorously. A deep breath should be taken before each cough, and the cough must be deep and prolonged, as when producing sputum from deep inside the chest.

A breath and a cough must be repeated about every two seconds without let-up until help arrives, or until the heart is felt to be beating normally again. Not sure I can cope with this – takes me more than 2 seconds to draw breath these days.

Deep breaths get oxygen into the lungs and coughing movements squeeze the heart and keep the blood circulating. The squeezing pressure on the heart also helps it regain normal rhythm. In this way, heart attack victims can get to a hospital. Tell as many other people as possible about this. It could save their lives!!

A cardiologist says if everyone who gets this mail sends it to 10 people you can bet that we’ll save at least one life.

Rather than sending jokes (not sure I agree with this part keep on sending them are probably stopping me getting a heart attack) please contribute by forwarding this mail which can save a person’s life….If this message comes around you ……more than once…..please don’t get irritated…..U need to be happy that you are being reminded of how to tackle….Heart attacks….AGAIN…

---

It sounds very plausible and if true would be worth spreading to as many people as possible. But I told my mother not to send it on to anyone until I checked it out.  I went straight to the British Heart Foundation website and other sources which revealed that this is dangerous advice and to all intents and purposes not true (except in the most extremely limited of contexts):-

IS47_Cough.pdf

---

Cough cardiopulmonary resuscitation

What is ‘cough cardiopulmonary resuscitation’?

There is a theory circulating from an uncertain source that you can stop
yourself from having a heart attack by practising a technique called
‘cough cardiopulmonary resuscitation’ (sometimes called ‘cough CPR’ or
‘self CPR’). It suggests that coughing vigorously when you think you may
be having a heart attack can return the electrical activity of the heart
to normal.

The British Heart Foundation (BHF) is not aware of any evidence to support
this theory and ‘cough CPR’ should never be used as a first aid technique.

What is the source of the ‘cough CPR’ technique?

You may have heard about ‘cough CPR’ or ‘self CPR’ from an email about an
article called How to survive a heart attack when alone. According to the
email, the article was originally published in a newsletter from Rochester
General Hospital in the USA. However, the hospital claims that they have
no knowledge of the source. The email says that vigorous coughing when
experiencing
sudden, severe chest pain (the classic symptoms of a heart attack) may
help to restore or improve the circulation of blood, by maintaining the
heart’s normal electrical activity. The advice is very loosely based on
reports of people who have used coughing to maintain some sort of cardiac
output during cardiac arrest. There is no evidence to support this.

So what should I do if I think I am having a heart attack?

If you experience heaviness or tightness in the chest, accompanied by sweating, sickness, or feeling faint or breathless, you may be having a heart attack. You will need emergency treatment to stabilise your condition, so you need to call 999 for an ambulance immediately.

For more information
———————
www.bhf.org.uk/doubtkills

For more information on what to do if you think you are having a heart attack.

Resuscitation UK Council
www.resus.org.uk

---

So remember, always verify internet advice if it is not directly from a trusted source.

Malicious warez site offers Firefox 4.0 beta download scam

Like a lot of seedy stuff, this started with a Twitter post:.

The current working version of Mozilla’s Firefox browser is 3.6.8. Version 4 is in beta testing. You get them FREE from Mozilla..

Why would you need a crack (program with its password broken) or a keygen (application that generates a password for a password-protected program) for something that is FREE?

Well, there’s a sucker born every minute and the folks at this warez (pirated software) site are betting there are a lot of them using Twitter.

Anybody who was unwise enough to bite on this, (if they were running a trusted Antivirus) would see this when they hit the download button for the crack or the keygen:

The crack and keygen were infected with a Trojan downloader VirTool.Win32.Obfuscator.hg!b (v). That’s the Sunbelt detection for an old standard commonly known as “2GCash-FakeCrackSerial.”

Clicking the button to downloading Firefox 4.0 takes the potential victim to another site:

That one offers a whole nest of things to download that are infected with:

FraudTool.Win32.FakeVimes
Trojan-Downloader.Win32.CodecPack.2GCash.Gen
Trojan.DNSChanger.Gen
Virus.Win32.Parite
TrojanDownloader-Win32/FakeRean

The bad guys are going after the Pirates

File-sharing organization Pirate Bay has been controversial for a long time, like maybe the length of its entire existence. It’s been in the news recently because a number of governments are trying to shut it down. That’s a situation ripe for social engineering.

We found this scheme this morning: a number of typo-squatting sites carrying the following. (Note: the REAL Pirate Bay site is thepiratebay.org.) What would lead a victim to this? The phony site piratebay.com (below) comes up as the third result on a Google search for “piratebay” or fourth for “pirate bay."



The phony sites we found were:
http://htepiratebay.org/
http://piatebay.org/
http://www.piratesbay.org/
http://piratesbay.com/
http://piratebay.com/
http://thepriatebay.org/
http://thpiratebay.org/
http://thepiratesbay.org/
http://thepirateby.org/
http://www.thepiratbay.org/
http://videobay.com/
http://piratebay.com/

OK, we thought we see click the download button (kids, don’t try this at home) and see if the software really is “. . . safe and keeps me protected.”



Short answer: “no.”

It tries to download a file called “eMuleSetup.exe” from a site registered to Hotbar, Inc. VIPRE detects it as “Pinball Corporation. (v)”

The real Pirate Bay site is NOT posting any warnings.

Microsoft releases work-around tool for DLL loading vulnerability

Microsoft has posted an advisory that explains the "DLL preloading attacks" and offers a work-around tool that “allows customers to disable the loading of libraries from remote network or WebDAV shares.

This tool can be configured to disallow insecure loading on a per-application or a global system basis.”
When an application loads a .dll file, but doesn’t name a full path name,Windows searches a pre-defined set of directories for it. Exploiting this, an intruder could social engineer a victim into loading a malicious .dll from a USB drive or from a network and execute arbitrary code.

Advisory here: Insecure Library Loading Could Allow Remote Code Execution

How to Get Hacked on Facebook

One of the most common scenarios we observe on a daily basis are users coaxed into phishing campaigns and malicious applications on Facebook.  As we interact with our friends and family on social networks, we tend to trust of any and all of the information that appears to be from our “trusted network.”  However, Facebook is one of the most trolled social networks by cyber criminals.  They are waiting for you to make a mistake and once you make it, they will be sure to hack you and exploit your friends trust through your newly hacked account.

In this post, we’ll take you through the steps of how a profile on Facebook becomes hacked. Obviously, we don’t want you to follow these steps, but we hope that by arming you with this knowledge, you’ll be one step ahead in thwarting evildoers on social networks.

Step 1:  The hook

The hook always starts off with a friends hacked profile.  You’ll get a message (appearing to be from them) stating that you need to click on a link for something.  In most cases, it’s a “SHOCKING VIDEO” or “We caught you on tape” and the message will usually address you by your first name.

Here is an example:

Step 2: Phishing Attempt

Now that the cyber criminals have lured you in, they’ll need your user name and password to start the next stage of the attack.  The application link you clicked on will appear to look exactly like the Facebook login site, but if you look carefully you’ll see that you are not visiting Facebook.com, but rather a malicious copy located at another website address.

Example:

Step 3: Gaining Full Access

Now that you’ve clicked on the link and given them your credentials, they will also request that you give their malicious application full access to the personal information and various rights to post information via your profile.  This ensures that they will be able to spread this attack out to all of your friends and family once they are through with you.

After you give the malicious application permission, the attack will now start targeting your friends.

In this example, we see a few of the victims friends falling for the trick:

So there you have it.  Hook, line, and sinker. We hope that you take this information and share it with all of your friends so they know what to do in the event of a similar attack on their profile.

Facebook login phishing

Here’s one of the latest Facebook phish attempts: videos of “beautifull” girls:

It might look like the Facebook login page, but, check out the URL. I don’t think you want to log in to Facebook there.

DLL Hijacking Evolved

Back in November 2007, I’ve seen this technique used by one of the variant of Worm called W32/Drom. The technique was not to execute the malicious file or component of the worm but to prevent Antivirus Program from running.  The Worm queries the following Antivirus registries to get the Installation Path, once acquired, it creates a folder named “ws2_32.dll” with Hidden and System attributes on that location.

As I test this technique, it prevented the program from running as it first loads the “ws2_32.dll” folder in the current directory.

The author of this worm may have tested that the aforementioned Antivirus programs call the DLL “ws2_32.dll”not using the full path name, but instead it uses only the file name. The search path used by windows to locate a DLL has been exploited by the author of this worm to evade certain program from running.

And now 2010, another DLL Hijacking technique was introduced which may have been used by the attacker to infect the system. The technique is to drop file with a vulnerable file type together with the malicious DLL from within a directory controlled by the attacker.

We expect malwares using this technique and detect this malware.

Brand new 0-day Exploit. The world is going to end! Yet again…

Sigh… The latest “exploit” that affects hundreds of programs and will be the end of the world as we currently know it is actually a well documented feature of Windows. It has actually been around since the DOS days.

In the old days we used to call these Companion viruses. It worked by using a different file extension that will be executed before the real executable. For example if you had a “gwbasic.exe” you would create a “gwbasic.com” anywhere in the path and if the user just typed “gwbasic” he would execute the “gwbasic.com” and not the “gwbasic.exe”. If the author of the “gwbasic.com” was ‘nice’ he could execute the “gwbasic.exe” so as to make the existence of the “gwbasic.com” file harder to detect.

This brand new 0-day exploit also uses the search path of Windows. In this case the search path for dynamically linked libraries. If an application needs to load a library dynamically then it uses a predetermined and very well documented search order to find the required libraries. This has been well documented for at least a decade.

How this new and amazing exploit works is that if some malicious or not so malicious person were to drop a library with the required name into the correct location then this library will be loaded instead of the expected one. We have seen malware exploiting this for several years. Developers call it DLL hell.

If “security researchers” are this desperate to publish exploits then it probably is a good sign. Either everybody is tired of yet another Adobe Reader exploit or it is getting harder to find exploits.

Is this really an exploit? Is this something that we should be detecting or Microsoft should be patching?

As I stated this is known and documented behavior of the Microsoft Operating systems. Unix does things a bit differently for good reasons. It definitely is not good design, but it may be problematic to fix.

It is possible to avoid being hijacked like this, but it does take a bit of work on the side of the developer. It is possible for Microsoft to fix it, but it will probably break the majority of software that runs on Windows. Should it be fixed? Probably, but Microsoft probably can’t without causing major problems.

Should we detect the exploit? That is harder. Firstly it is not an exploit. It is just the operating system doing what it should be doing. We will definitely detect any malware using this technique to spread or escalate permissions.

In the end I think this 10+ year old 0-day “exploit” (oxymoron?) is much ado about absolutely nothing new.

Internet Explorer Turns 15

Microsoft’s web browser Internet Explorer was launched 15 years ago. While it had its ups and downs over the years – version 6 was plagued by countless security issues, which made it one of the most hated browsers around – it’s still the most popular browser in the world, with the last couple of versions improving dramatically on their troubled predecessor.

The first version of the browser, Internet Explorer 1, debuted on August 16, 1995. It was based on Mosaic, a web browser Microsoft had licensed from a company called Spyglass Inc. Starting with version 3.0, Microsoft started bundling Internet Explorer with Windows, increasing its market share dramatically and ultimately squeezing once dominant browser Netscape Navigator out of the market completely.

Internet Explorer’s market dominance started to wane with the rise of popularity of Firefox, a free, open source browser which was launched in 2004, largely as an answer to the problematic IE6. After a couple of years of (somewhat inexplicable) negligence, Microsoft started working hard on improving Internet Explorer again, with version 7 being a big improvement on IE6 when it comes to security and stability.

According to the latest data from Net Applications, Internet Explorer now has a combined market share of 60.74% and Firefox is at 23.75%, followed by Chrome, Safari, Opera and others.

Right now, Microsoft is preparing for the launch of the next chapter in Internet Explorer history: Internet Explorer 9. The first public beta of the new browser is scheduled to be launched at an event in San Francisco on September 15. With the competition being as strong as it is, IE is one of Microsoft’s most important products; we’re keen to find out what the Internet Explorer team has prepared for us this time.

Facebook Dislike button scam spreads virally

Have you seen a message like this on Facebook?

I just got the Dislike button, so now I can dislike all of your dumb posts lol!!

If so, don't click on the link.

It's the latest survey scam spreading virally across Facebook, using the tried-and-tested formula used in the past by other viral scams including "Justin Bieber trying to flirt", "Student attacked his teacher and nearly killed him", "the biggest and scariest snake" and the "world's worst McDonald's customer".

We've also seen slightly different wording - but pointing to the same scam.

Falling for any of these scams (which promise some lurid or eye-popping or exclusive content) typically trick you into giving a rogue Facebook application permission to access your profile, posting spam messages from your account and asking you to complete an online survey.

And the same is true with this latest scam, which tempts you with the offer of a "dislike" button (as opposed to the normal "like" button) so you can express your opinions on other users' posts, links and uploads.

If you do give the app permission to run, it silently updates your Facebook status to promote the link that tricked you in the first place, thus spreading the message virally to your Facebook friends and online contacts:

But you still haven't at this point been given a "Dislike" Facebook button, and the rogue application requires you to complete an online survey (which makes money for the scammers) before ultimately pointing you to a Firefox browser add-on for a Facebook dislike button developed by FaceMod.

As far as we can tell, FaceMod aren't connected with the scam - their browser add-on is simply being used as bait.

So, if you really want to try out FaceMod's add-on (and note - we're not endorsing it, and haven't verified if it works or not), get it direct from the Firefox Add-ons webpage, not by giving a rogue application permission to access your Facebook profile.

If you're on Facebook, and want to learn more about security threats on the social network and elsewhere on the internet, join the Omid Facebook page.

Facebook Refreshes Notes Application

Until now, Facebook Notes has only supported text formatting through HTML, making formatting a challenging task for the majority of the site’s 500 million members. Today the social network has rolled out a refreshed version of Notes to remedy the problem.

The Facebook Notes application has been overhauled with a new look and feel that includes an easier-to-use left-hand menu and a few notable new features.

The most significant update to Notes is the addition of a text editor that includes standard formatting options that let Facebook users click to bold, italicize, underline, indent quotes and add bullet or numbered lists to their notes. Facebook Notes also now lets users tag Facebook Pages in their notes and more easily locate saved drafts.

The updates to Notes should make the application much more user-friendly and encourage more on-site note creation.

How to Install LNK Update (KB2286198) on Windows XP SP2

Microsoft discontinued support for Windows XP Service Pack 2 on July 13th, and that means there is no SP2 update for the recent LNK shortcut vulnerability (KB2286198). If you review the comments from this SANS Diary post, you'll see that there was some initial confusion regarding SP2 support, due to a typo in Microsoft's Security Bulletin (MS10-046). The bulletin is now corrected.

However, even today, the download for Windows XP still includes SP2 in the file properties.

But if you try to install the update on an SP2 system, you'll get this error message:

"Setup has detected that the version of the Service Pack installed on your system is lower than what is necessary to apply this hotfix. At minimum, you must have Service Pack 2 installed."

This minimum requirement reminded us of some other software that required SP3… Grand Theft Auto IV.

GTA IV wouldn't install on SP2 systems when it was released in December of 2008.

And so some determined gamers came up with a registry hack.

It turns out that an SP2 system will think its SP3 if you edit this key: HKLM\System\CurrentControlSet\Control\Windows, and edit the DWORD value CSDVersion from 200 to 300 (and reboot).

It worked for GTA IV, so we decided to test it with KB2286198. And our test worked, WindowsXP-KB2286198-x86-ENU.exe installed on our SP2 test system once we tweaked the registry. We also tested an LNK exploit, and it did not infect the system after the patch.
Cool.

But remember, this update is NOT officially tested or supported by Microsoft for SP2. And we do NOT recommend that anybody use this tweak in a production network of any kind. Hacking the registry and applying updates is likely a very quick way to destabilize your system. You really should update to Service Pack 3 if at all possible.

If you want to experiment, do so at your own risk.

Updated to add: A reader shared this link to Security Active Blog.

The Security Update for Windows XP Embedded also installs on Windows Service Pack 2 systems and no registry tweak is needed. The file is called WindowsXP-KB2286198-x86-custom-ENU.exe.

Two Steps Away from a Free iPad

Honestly, how many times have you won free stuff by clicking on links? And no… those spam, trojan, and spyware do not count as free stuff.

We recently found a scam that promises a free iPad to application testers. Apparently, the site lures the person into joining an iPad application testing program while the site owner makes profit from SMS fee charges and affiliation programs. To enroll in the program, "testers" are required to complete two steps.

Step one: Twitter connect, where "testers" are required to log into their Twitter account, and allow an application called "Keep it to hend" to access their information.

Soon after, friends of the testers will receive a tweet containing a link to the iPadAppsTesting website, and a new follower known as Jennt0kvqt will be following them.

So, who's Jenn? Nothing much can be found on her page, except for a link to her photos (it directs to an adult site that rewards those who refer somebody to join the website) and some trivial tweets.
Step two: Complete the registration by clicking a button, in which the testers will be directed to another site.
After answering an iPad worthy question, they are then asked to enter their mobile phone number and agreed to receive two SMS a week, in which an SMS costs RM8 each.

At the end of the day, the iPad is yet to be seen; the testers are stuck with Twitter spam and a ridiculous charge for SMS messages.

Worried about Adobe's malware vulnerability then secure your Adobe Reader

It should go without saying that the best way to deal with malware is of course, not to get infected in the first place.

Being aware of what products are being targeted by the bad guys may help you as well, so it may be useful to know that at the moment Adobe products are virtually the number one target across the world with millions of PCs being hit by infected Adobe PDFs. Others are being pwned via Adobe Flash ads via Facebook and other social media web sites.

Attackers send a file that has malicious code embedded in it. Once the file is opened, the computer is infected, typically with some form of identity theft malware that then steals data.

The Adobe PDF and Adobe Flash browser plug-ins are also used in “drive-by download” attacks where malware is downloaded onto the PC while the user is surfing the web.

Adobe products, just like Microsoft Windows and Microsoft Office, have near universal use on home and business computers making these applications prime targets for the bad guys. Unfortunately, since the bad guys realised this and turned their attention to finding security holes in them, they have been very successful.

Of course, the easiest way to avoid the risk of being compromised via these Adobe products is not to install them. However, this is virtually impossible for most home and business Internet users.

So if you must use Adobe Reader, then please take the time to secure it.

How to secure Adobe Reader

1.To do this, open Adobe Reader application and choose ‘Edit’ and then ‘Preferences’.

2.On the left you will see several different categories of options to modify.

3.Under the ‘JavaScript’ category there is a checkbox ‘Enable Acrobat JavaScript’. Make sure this checkbox is not ticked/selected so that you disable Adobe Reader’s ability to run dangerous JavaScript from a PDF.

4.Under the ‘Security’ category, to specify that digital signatures are handled securely make sure the ‘Verify signatures when the document is opened’ checkbox is ticked/selected.

5.Under the ‘Security (Enhanced)’ category, make sure the ‘Enable Enhanced Security’ checkbox is selected to help with data protection and privacy.

6.Under the ‘Trust Manager’ category we’d recommend you disable Acrobat’s ability to call external applications to handle non-PDF file attachments. So after the make sure the ‘PDF File Attachments’ heading, make sure the ‘Allow opening of non-PDF file attachments with external applications’ checkbox is not ticked/selected.

7.Then click on ‘OK’ to exit changing the preferences.

Adobe is working to address the security vulnerabilities in its products, so it’s vital to make sure you regularly check for updates to Adobe Reader, Adobe Flash and other Adobe applications. Turn on the automatic updates so that your Adobe software stays up-to-date

My “friend” has invited me “to Twitter!”

“What are you doing?
“To join or to see who invited you, check the attachment.”

Hmmm. That looked interesting. After I clicked on it (in virtual environment), Yahoo renamed the attachment from “Invitation+Card.zip” to “Neutral.gif” and gave a warning:

Nice work Yahoo.

Toy Story 3: Woody's Roundup of Scams and Fakeouts

Toy Story 3 is romping across cinemas Worldwide, and rightly so – it’s the best of the series by far. I thought it might be worth pointing out that being a product aimed at children doesn’t exclude it from internet shenanigans.

If you have young children online who are partial to searching for Toy Story material, you might want to warn them about some of the below scams. One of the most popular tactics is advertising the “full movie” on Youtube, but directing the end-user to a bunch of surveys instead:

 

 

Most of the surveys we see tend to ask a lot of questions that reveal plenty of information about the individual filling them in, and you probably don’t want your kids giving some random third party lots of information about Dad or whatever.

The Toy Story 3 game is also a juicy target for these scams:

I’m almost certain your child does not want to dine with Gordon Ramsay at Claridges, but what do I know.
Many of the sites promoting these online versions of the film seem to use advertising networks that are a little more adult than most. Let’s break it down:
1) Child goes looking for Toy Story 3.
2) Child finds site promoting Toy Story 3.
3) Child finds their eyeballs melting into the ground and people yell “Think of the children” while all of this pops up:

 
The above funfest all launched from the same site - wegotbest(dot)com - with popups contained inside the Flash player, gambling adverts popping out of the website itself and eventually throwing up a survey after the site had been inactive for ten minutes.

Amazingly, the survey didn’t contain any nudity. So there’s that.

We’ll round things off with websites asking you to install programs. Thankfully it seems the scammers out there aren’t pimping infectious “Buzz Lightyear.exe” files just yet, but they’ll still try and make some installation affiliate cash regardless.

This site is another one offering up the Toy Story 3 game:

What’s the gag here? Well, hit the download link and you end up with the below folder on your PC:

That’s right – you have to install a toolbar from their frontpage, and after installation a magical message will appear and the fifth word will be the password to open up the zipfiles.

In practice, all I got was the below translation software and not a magic password in sight.

Don’t you just hate it when that happens?

Anyway, those appear to be the most common scams where Toy Story 3 is concerned right now. Sites asking to install programs in return for the Toy Story game or movie should be avoided, along with any promises that sound too good to be true on Youtube. Ensure your children stick to those rules and your PC, personal information and sanity will hopefully remain intact.

What’s in a (rogue) name? VirusTotal 2010

There is a well-respected and very useful site that everyone in the anti-virus industry uses – sometimes several times a day: Virus Total. You can upload suspicious files or their check sums to Virus Total to see if a file is malicious. The makers of a new rogue have picked up on the Virus Total name in an effort to make their malicious creation look like something legitimate:

What it tries to download is detected as FraudTool.Win32.FakeRean (fs).
Here’s what the real Virus Total site looks like. It basically runs your code sample or check sum against 41 anti-virus engines and displays the resulting detections.

We’ve entered the MD5 check sum of the VIPRE detection (above) and copied
here a portion of the Virus Total page (32 detections cut out) with the Sunbelt detection highlighted: